From owner-freebsd-questions@freebsd.org Sat Aug 19 20:57:05 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6FF89DE4089 for ; Sat, 19 Aug 2017 20:57:05 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mailrelay12.qsc.de (mailrelay12.qsc.de [212.99.163.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.antispameurope.com", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D72E0645D1 for ; Sat, 19 Aug 2017 20:57:04 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx01.qsc.de ([213.148.129.14]) by mailrelay12.qsc.de; Sat, 19 Aug 2017 22:57:01 +0200 Received: from r56.edvax.de (port-92-195-91-117.dynamic.qsc.de [92.195.91.117]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx01.qsc.de (Postfix) with ESMTPS id A8AA53CBF9; Sat, 19 Aug 2017 22:57:00 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id v7JKux0t002412; Sat, 19 Aug 2017 22:56:59 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Sat, 19 Aug 2017 22:56:59 +0200 From: Polytropon To: Ernie Luzar Cc: tyler@tysdomain.com, freebsd@edvax.de, "freebsd-questions@freebsd.org" Subject: Re: How to block facebook access Message-Id: <20170819225659.56c11983.freebsd@edvax.de> In-Reply-To: <5998A270.9070907@gmail.com> References: <59988180.7020301@gmail.com> <5998A270.9070907@gmail.com> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-cloud-security-sender: freebsd@edvax.de X-cloud-security-recipient: freebsd-questions@freebsd.org X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mailrelay12.qsc.de with 19F506A3758 X-cloud-security-connect: mx01.qsc.de[213.148.129.14], TLS=1, IP=213.148.129.14 X-cloud-security: scantime:.1374 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Aug 2017 20:57:05 -0000 On Sat, 19 Aug 2017 16:41:20 -0400, Ernie Luzar wrote: > > > On 8/19/2017 2:20 PM, Ernie Luzar wrote: > >> Hello list; > >> > >> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users > >> are using their work PC's to access facebook during work. > >> > >> What method would recommend to block all facebook access? > >> > > > Littlefield, Tyler wrote: > > make your proxy just blacklist facebook.com and m.facebook.com? > > Blocking it will just let them view it on their phones though, so > > you're looking at a different issue altogether. > > Already blocking 15 facebook login ip address which can be added to or > changes by FB anytime. Yes, that is one of the core problems: You do not have control over Facebook's network configuration. :-) On the IP level, you can maintain a list of IPs to block. And you could use resolver modification to do this for you, for example when the IP for a certain Facebook service or page changes, using the resolver its new IP will be added to the block list. With this approach, you can block using both numeric IPs and domain name strings (which of course resolve to IPs, too). Maybe it would be a lot easier if you could just switch to whitelisting - define the IPs _allowed_ for the users. This will surely introduce new problems like "I cannot access a web site which I need for work, please verify and whitelist", which is something you cannot fully automate. > On the company floor we have a cell phone signal jammer, so employees > are forced to leave building to use their cell phones which make them > show up on security video. Since we started that last January, people > just turn off their cell phones at work. Do you have some specific workplace policy that explicitely prohibits the use of non-work related web pages? In that case, determine which user actually accesses Facebook and then send them a "friendly reminder" to act according to the rules to which they agreed, or else. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...