Date: Sun, 20 Aug 2017 13:17:55 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: How to block facebook access Message-ID: <a17ef24e-2d00-1fbd-9839-c007002222ac@FreeBSD.org> In-Reply-To: <20170820134409.825ed388.freebsd@edvax.de> References: <59988180.7020301@gmail.com> <c651aba9-8e5b-b193-1808-cef5b900cf27@tysdomain.com> <5998A270.9070907@gmail.com> <20170819225659.56c11983.freebsd@edvax.de> <599972E0.8080203@gmail.com> <20170820134409.825ed388.freebsd@edvax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --u4lD5PNh3WSpFoIqvf8OutpGqP3X6KWu4 Content-Type: multipart/mixed; boundary="U5k4O1u26G7niOicQiQIWr3WVHuqI8JcU"; protected-headers="v1" From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Message-ID: <a17ef24e-2d00-1fbd-9839-c007002222ac@FreeBSD.org> Subject: Re: How to block facebook access References: <59988180.7020301@gmail.com> <c651aba9-8e5b-b193-1808-cef5b900cf27@tysdomain.com> <5998A270.9070907@gmail.com> <20170819225659.56c11983.freebsd@edvax.de> <599972E0.8080203@gmail.com> <20170820134409.825ed388.freebsd@edvax.de> In-Reply-To: <20170820134409.825ed388.freebsd@edvax.de> --U5k4O1u26G7niOicQiQIWr3WVHuqI8JcU Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable On 20/08/2017 12:44, Polytropon wrote: >>> On the IP level, you can maintain a list of IPs to block. And >>> you could use resolver modification to do this for you, for >>> example when the IP for a certain Facebook service or page >>> changes, using the resolver its new IP will be added to the >>> block list. With this approach, you can block using both >>> numeric IPs and domain name strings (which of course resolve >>> to IPs, too). >> I am unfamiliar with the "resolver modification" you speak of. >> Is this a function in ipfilter firewall? >> Where and how is this done? > It's a term I probably invented because I don't know the correct > name - if it even has a specific name. :-) The term you're probably looking for 'RPZ' (Response Policy Zone) -- this is an extension that allows you to override what your recursive resolver will return for certain zones: http://www.zytrax.com/books/dns/ch7/rpz.html Effectively you can load a special zone file full of domains you want to return other than the standard response for. These zones can be AXFR'd between a cluster of resolvers for ease of administration. Implemented in bind -- this isn't an IETF specification, so may not be available in other brands of nameserver, or if it is, may not interoperate very well between different DNS software packages. Cheers, Matthew --U5k4O1u26G7niOicQiQIWr3WVHuqI8JcU-- --u4lD5PNh3WSpFoIqvf8OutpGqP3X6KWu4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJZmX35XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATYHEP/0Xo/1kVVjRQy/MZmfcLyV7c UMx1ZN1/X5D8fMCDhyqlVTR/w08ZOcaKbNTSsgxkrYRC0AC1WmY5U/biGUe0EtAq g8HWeKFyCthYXC/ng8OdOXjI80d4FBnI+iRbK1bxo5De03PdeLrmnarj8z5+ewWk Y4ndnNoM8bVOiAiDRFvp/AB4phxNIdsyu/nswLe228jnfrlsT+U2w9Gl0JVNa8Dd oEx6Y1y77C/Y2QJo6WZLGE0iKYVRSZL6soTIpCPEEHwhTWF176yaLO2QGaO6aqXs IqagvCB90BPb3keiCePCP8j4lgqxNrjxkFQxmfLykF7+lsRm2MsxHBGUGaxExBHl 928ejcLqu9vPj+G1YkfmHsDdaGBDBZdTFehREyrusDG2S6ke9+pHFBT8pTuqGOBn XIkYrafJSkAhH51myx54n+bzhoaVn0S5F0nxlnt5fCa9CkYJxCaujb87XN714/I2 FPQkvRG7Y/5+D/olYVTY3bF8OaWTK79ezGeU0RLX55JAo/6bgsF8F/2Q6HsM1xfh yCPHaObJUlPiiIC3ayqiufqycXN7Dvx+9g8rOL5hu1uJhdJxYJwUZW5PWuYVyr5O +WdI98vI3DQwgFn/Bf7kzCFB1ZkqmFkzDY1Zd6WDMWYQkn6zR/5c7xlAx0uWwhGX pVMgGlZa7LWkclj0QqgT =gCd9 -----END PGP SIGNATURE----- --u4lD5PNh3WSpFoIqvf8OutpGqP3X6KWu4--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a17ef24e-2d00-1fbd-9839-c007002222ac>