From owner-freebsd-questions@freebsd.org Sun Aug 20 12:18:16 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DDFAFDCE242 for ; Sun, 20 Aug 2017 12:18:16 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.117.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 692E81048 for ; Sun, 20 Aug 2017 12:18:16 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from liminal.local (unknown [IPv6:2001:8b0:151:1:1c1d:86a1:a200:b700]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 10FFE2576 for ; Sun, 20 Aug 2017 12:18:07 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/10FFE2576; dkim=none; dkim-atps=neutral Subject: Re: How to block facebook access To: freebsd-questions@freebsd.org References: <59988180.7020301@gmail.com> <5998A270.9070907@gmail.com> <20170819225659.56c11983.freebsd@edvax.de> <599972E0.8080203@gmail.com> <20170820134409.825ed388.freebsd@edvax.de> From: Matthew Seaman Message-ID: Date: Sun, 20 Aug 2017 13:17:55 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <20170820134409.825ed388.freebsd@edvax.de> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="u4lD5PNh3WSpFoIqvf8OutpGqP3X6KWu4" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Aug 2017 12:18:17 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --u4lD5PNh3WSpFoIqvf8OutpGqP3X6KWu4 Content-Type: multipart/mixed; boundary="U5k4O1u26G7niOicQiQIWr3WVHuqI8JcU"; protected-headers="v1" From: Matthew Seaman To: freebsd-questions@freebsd.org Message-ID: Subject: Re: How to block facebook access References: <59988180.7020301@gmail.com> <5998A270.9070907@gmail.com> <20170819225659.56c11983.freebsd@edvax.de> <599972E0.8080203@gmail.com> <20170820134409.825ed388.freebsd@edvax.de> In-Reply-To: <20170820134409.825ed388.freebsd@edvax.de> --U5k4O1u26G7niOicQiQIWr3WVHuqI8JcU Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable On 20/08/2017 12:44, Polytropon wrote: >>> On the IP level, you can maintain a list of IPs to block. And >>> you could use resolver modification to do this for you, for >>> example when the IP for a certain Facebook service or page >>> changes, using the resolver its new IP will be added to the >>> block list. With this approach, you can block using both >>> numeric IPs and domain name strings (which of course resolve >>> to IPs, too). >> I am unfamiliar with the "resolver modification" you speak of. >> Is this a function in ipfilter firewall? >> Where and how is this done? > It's a term I probably invented because I don't know the correct > name - if it even has a specific name. :-) The term you're probably looking for 'RPZ' (Response Policy Zone) -- this is an extension that allows you to override what your recursive resolver will return for certain zones: http://www.zytrax.com/books/dns/ch7/rpz.html Effectively you can load a special zone file full of domains you want to return other than the standard response for. These zones can be AXFR'd between a cluster of resolvers for ease of administration. Implemented in bind -- this isn't an IETF specification, so may not be available in other brands of nameserver, or if it is, may not interoperate very well between different DNS software packages. Cheers, Matthew --U5k4O1u26G7niOicQiQIWr3WVHuqI8JcU-- --u4lD5PNh3WSpFoIqvf8OutpGqP3X6KWu4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJZmX35XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATYHEP/0Xo/1kVVjRQy/MZmfcLyV7c UMx1ZN1/X5D8fMCDhyqlVTR/w08ZOcaKbNTSsgxkrYRC0AC1WmY5U/biGUe0EtAq g8HWeKFyCthYXC/ng8OdOXjI80d4FBnI+iRbK1bxo5De03PdeLrmnarj8z5+ewWk Y4ndnNoM8bVOiAiDRFvp/AB4phxNIdsyu/nswLe228jnfrlsT+U2w9Gl0JVNa8Dd oEx6Y1y77C/Y2QJo6WZLGE0iKYVRSZL6soTIpCPEEHwhTWF176yaLO2QGaO6aqXs IqagvCB90BPb3keiCePCP8j4lgqxNrjxkFQxmfLykF7+lsRm2MsxHBGUGaxExBHl 928ejcLqu9vPj+G1YkfmHsDdaGBDBZdTFehREyrusDG2S6ke9+pHFBT8pTuqGOBn XIkYrafJSkAhH51myx54n+bzhoaVn0S5F0nxlnt5fCa9CkYJxCaujb87XN714/I2 FPQkvRG7Y/5+D/olYVTY3bF8OaWTK79ezGeU0RLX55JAo/6bgsF8F/2Q6HsM1xfh yCPHaObJUlPiiIC3ayqiufqycXN7Dvx+9g8rOL5hu1uJhdJxYJwUZW5PWuYVyr5O +WdI98vI3DQwgFn/Bf7kzCFB1ZkqmFkzDY1Zd6WDMWYQkn6zR/5c7xlAx0uWwhGX pVMgGlZa7LWkclj0QqgT =gCd9 -----END PGP SIGNATURE----- --u4lD5PNh3WSpFoIqvf8OutpGqP3X6KWu4--