From owner-freebsd-pf@FreeBSD.ORG Mon May 2 15:40:13 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4B9DD106566C for ; Mon, 2 May 2011 15:40:13 +0000 (UTC) (envelope-from kevin.wilcox@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 158448FC1B for ; Mon, 2 May 2011 15:40:12 +0000 (UTC) Received: by iyj12 with SMTP id 12so6686219iyj.13 for ; Mon, 02 May 2011 08:40:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Ya6v2D3P4Y1BZyJcXDAcgyGC5px/AIEux9DbKnXP6qI=; b=s7joKj9w0kMRmgeocNiP8hTvXdfdu2PxMutcl9gE8MJC0d5qVHVxBv34xXKTJdnEpS ukTXq0hkV0+wwpaGEV8L/Duy2/9JgXJfUHvTxgYBC6WsXj4jJuwfdxeEjCoMT/ToPrZQ lZwRrFSbGCjznv54DioeursOBPySziQwwPk+Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=AusYMeDohkTnE5mGvsWrntGg4UiAXVVW/TkT63Rc7h1YyBww5bHToGWSp3SNeA4pzT oWjsyRG5DVADu0wqWeWB7DzwhN5QKHvKADhf8cTnHhJ0q0eABKIMHXffehKAeflELTmh UoA4G4QWinNgDV1sYVfF0x6MbYThh/UVllRag= MIME-Version: 1.0 Received: by 10.231.179.197 with SMTP id br5mr4821104ibb.146.1304348989176; Mon, 02 May 2011 08:09:49 -0700 (PDT) Received: by 10.231.36.195 with HTTP; Mon, 2 May 2011 08:09:49 -0700 (PDT) In-Reply-To: <4DBEC293.1010607@yahoo.com.br> References: <4DBEC293.1010607@yahoo.com.br> Date: Mon, 2 May 2011 11:09:49 -0400 Message-ID: From: Kevin Wilcox To: Zhu Sha Zang Content-Type: text/plain; charset=UTF-8 Cc: freebsd-pf@freebsd.org Subject: Re: blocking facebook X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 May 2011 15:40:13 -0000 On Mon, May 2, 2011 at 10:41, Zhu Sha Zang wrote: > I'm trying to block facebook access only using PF in FreeBSD 8.2. > > But putting the name or the ip returned with the command host > www.facebook.com i can't deny any user to connect facebook. > > Some trick to do that? > > Thanks for now. Short version: you can't block via domain in pf. Long version: when pf starts, it reads its config file. If you have a domain name listed, and you can't reach your DNS server because DHCP or other networking scripts aren't loaded, it can't resolve the domain. If it CAN resolve the domain, it will use the IP address it received from a DNS lookup. For domains backed by a single IP, no problem. For domains that span multiple IPs, and multiple networks, that's a pretty big problem. Additionally, pf does NOT do deep packet inspection. It's extremely taxing and it's not what pf was designed to do. If you want to block facebook I would suggest a multi-faceted approach (though it's not foolproof, it just keeps MOST people from going there). 1) Control DNS. You can have lookups for *.facebook.com (and associated CDN addresses) go to whatever. 2) Control the browser - if you can blacklist *.facebook.com (and associated CDN addresses) you can limit a lot of it. 3) Force your users through squid or another web proxy. This is probably the best method as you can think block anything going to a facebook.com address, or with certain strings in the URL, by redirecting them to a page saying, "I'm sorry, that is not allowed on this network." This scales remarkably well on commodity hardware up to several thousand users assuming you aren't doing 10Gb. Good luck. kmw