From owner-freebsd-questions@freebsd.org Sun Aug 20 11:30:45 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8FD08DCB261 for ; Sun, 20 Aug 2017 11:30:45 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 542E483221 for ; Sun, 20 Aug 2017 11:30:45 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-it0-x234.google.com with SMTP id 76so22537732ith.0 for ; Sun, 20 Aug 2017 04:30:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=a2WJEH3+eSUEA14wrZ1wUkcAp6izZhUjyMpo1hQtH/0=; b=JIvJWeO9E8e577vRQO9fIOuPiKpP69RHpQGXSx343FZq5cCjxTOwvtR0gyAI49Av7I 1KntkGWPbFEduG25DLpjvtXcSU775KkCau3jvIrDtNK+yXCMfhiMoJQ/UXu0Cbdo30B6 vznC3fWULV2yd7ASLwhfgDPPvk+7ddVTG8lxOrWKnSXRpWWsX0r5vquWSt2eN0070Fhl Z0NF6+RQSswPGRlyKYreQOG2k9RUxM6fRijmTFggwjWIIirG7yRw10a+m/g3ho8jepIP 6nu4mMBjR4knp76tQgibErMQPOLmcA733b5kZGqtWj5FA5LF9kPLQT4d0vqPFuVQI66r mgZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=a2WJEH3+eSUEA14wrZ1wUkcAp6izZhUjyMpo1hQtH/0=; b=UwA9G7jhlwcD4pPelyDWVL3aylJQKc/7rQgek7bxcIUd+wf4+0JGUa15QfaSg7J+FF ski7UUGjXu4isWGQm5hTK4ZTUg768o7E6fh0DjrZRmIibj/r7VP5OUn8E4dVrsFSM5VT PLQr3C+cbhs725DF9gq7hKIGWBuLznbJLSmhVvB4Km61G3KM5f4f3bXWLNEvHQUJ9oo8 LcK80E0QE+PyKXr9RTL9BOy0aAHhYOG3Qoz8p2KiBUi6U1QDoCwRF1qiwVjaIdXrveCk Tq7dNNvBnnRAe1waab2TjgrYQFzTvfpSLxroCkjU6nh5HZtOOU0J4VAaTFtnbh0vPtEP OTfQ== X-Gm-Message-State: AHYfb5i69UAqCz51g2YZg6Ztcrwo3AbHrhFeBTrNanhLQ5syCIO1epuo T2TyIHh+62Udw6fq X-Received: by 10.36.210.133 with SMTP id z127mr3248565itf.120.1503228644566; Sun, 20 Aug 2017 04:30:44 -0700 (PDT) Received: from [10.0.10.3] (cpe-74-141-88-147.neo.res.rr.com. [74.141.88.147]) by smtp.googlemail.com with ESMTPSA id g75sm2516558ita.4.2017.08.20.04.30.43 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 20 Aug 2017 04:30:44 -0700 (PDT) Message-ID: <599972E0.8080203@gmail.com> Date: Sun, 20 Aug 2017 07:30:40 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Polytropon CC: "freebsd-questions@freebsd.org" Subject: Re: How to block facebook access References: <59988180.7020301@gmail.com> <5998A270.9070907@gmail.com> <20170819225659.56c11983.freebsd@edvax.de> In-Reply-To: <20170819225659.56c11983.freebsd@edvax.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Aug 2017 11:30:45 -0000 Polytropon wrote: > On Sat, 19 Aug 2017 16:41:20 -0400, Ernie Luzar wrote: >>> On 8/19/2017 2:20 PM, Ernie Luzar wrote: >>>> Hello list; >>>> >>>> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users >>>> are using their work PC's to access facebook during work. >>>> >>>> What method would recommend to block all facebook access? >>>> >> > Littlefield, Tyler wrote: >> > make your proxy just blacklist facebook.com and m.facebook.com? >> > Blocking it will just let them view it on their phones though, so >> > you're looking at a different issue altogether. >> >> Already blocking 15 facebook login ip address which can be added to or >> changes by FB anytime. > > Yes, that is one of the core problems: You do not have control > over Facebook's network configuration. :-) > > On the IP level, you can maintain a list of IPs to block. And > you could use resolver modification to do this for you, for > example when the IP for a certain Facebook service or page > changes, using the resolver its new IP will be added to the > block list. With this approach, you can block using both > numeric IPs and domain name strings (which of course resolve > to IPs, too). > > Maybe it would be a lot easier if you could just switch to > whitelisting - define the IPs _allowed_ for the users. This > will surely introduce new problems like "I cannot access a > web site which I need for work, please verify and whitelist", > which is something you cannot fully automate. > I am unfamiliar with the "resolver modification" you speak of. Is this a function in ipfilter firewall? Where and how is this done?