From owner-freebsd-questions@freebsd.org Sat Aug 26 10:20:14 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 11822DF2F66 for ; Sat, 26 Aug 2017 10:20:14 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CB95C65F42 for ; Sat, 26 Aug 2017 10:20:13 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: by mail-oi0-x235.google.com with SMTP id g127so1478241oic.1 for ; Sat, 26 Aug 2017 03:20:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=7llS2A7kOqRmqEgt9yOok9LzqWGb3owjRhu66MMCYWg=; b=EVFetZfx2mm5PWSYTF7gZbDTpkERon8BFv1jUpcXMvNECftMF6V9lBTdhe2IZqsI6w eWzIxgpSYsHq6uyU5KsL2ghcSBVw1t/JsFK18Pqc/Est9uXOOJMBHsf66cYlFW1RcFLY 8c1cafFF4xSoeTlCAML7Dzq1Quebj6jGGTdXxzJ/3QTMJ2bh6mCj2vAyCyqAW5Jc1zGp 2DbKbuC0ilBdIEUoZBo5Jsvj8BcjwY9JtMp+rqBEMJZj/sijzz2HtHIDh0Q1y1Ngonc3 qq41YZbzk6hikVO1zceUP9PkEAhxzY4dedFL3ZgI22CFB7NdG8hztvbly0W3Fknz7GtU o9qQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7llS2A7kOqRmqEgt9yOok9LzqWGb3owjRhu66MMCYWg=; b=N9QpYhKjNCPg8Kl3EikrQpIPe7Dy03iGHifmhknTujZuKwoDiO8OD6GfZ2BLSbRse2 mj4EeeluvS3VxfW/XlZQN/evBM9loveh/P/Df3QrIpiji0vynlgImCb13DP4udRqwTHb y0oaDrAlwR80HuddVDWqEnncBUT57XMOqbRgRUY13yqks6UJRAopc8ysiGQZoHicWa0u kCSRoAY+LF/wDK53i2sCgZfzP3lLjgQq306S9+pbWva2cGsW/pgo+5sgi1sB+X4u5hSa sPoy7lcd4K7Jq4mKFnDw3yjP/r6ZqU4h8sN1EJ4MsgxCz5Fhu6WudCnBr/hePPc7ylYa w/tg== X-Gm-Message-State: AHYfb5hGwet8iRrr3BUeNr57bkSIloHufcLQJmho4eWunCm1HcoIBdwx n3B8Uq5deHV6fS9LS0R+aPEu3cSQGw== X-Received: by 10.202.231.138 with SMTP id e132mr1823101oih.200.1503742812890; Sat, 26 Aug 2017 03:20:12 -0700 (PDT) MIME-Version: 1.0 Received: by 10.157.41.238 with HTTP; Sat, 26 Aug 2017 03:19:32 -0700 (PDT) In-Reply-To: References: <59988180.7020301@gmail.com> From: Odhiambo Washington Date: Sat, 26 Aug 2017 13:19:32 +0300 Message-ID: Subject: Re: How to block facebook access To: Adam Vande More Cc: Ernie Luzar , "freebsd-questions@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Aug 2017 10:20:14 -0000 On 23 August 2017 at 03:08, Adam Vande More wrote: > On Sat, Aug 19, 2017 at 1:20 PM, Ernie Luzar wrote: > > > Hello list; > > > > Running 11.1 & ipfilter with LAN behind the gateway server. LAN users are > > using their work PC's to access facebook during work. > > > > What method would recommend to block all facebook access? > > > > Personally I would setup a transparent proxy eg squid and block it using > that. DNS solutions are too fragile and something like squid can generate > comprehensive reports. > > -- > Adam > In line with the KISS (Keep It Simple Stupid) principle, I beg to differ with you! Using Squid in transparent mode is not the easiest way to block HTTPS traffic. Think about setting up ssl_bump and all those certificates you have to import on all the computers so that the cert is 'trusted', and the pain you have to go through with the different browsers. I have been there and found it too much complex work. I use dnsmasq+PF+BIND+DHCP (or unbound) to achieve this, but only that I have to exempt some users from the blockage. If it was a blanket block, the unbound REFUSE option is dandy - K.I.S.S - as detailed by Frank Shute. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."