Date: Sun, 20 Aug 2017 20:10:52 +0300 From: Odhiambo Washington <odhiambo@gmail.com> To: Ernie Luzar <luzar722@gmail.com> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: How to block facebook access Message-ID: <CAAdA2WN5BH2o=2ej%2BVy=VpO5Z23N5xLqnLY_fkzbSjpU9o9awA@mail.gmail.com> In-Reply-To: <599972E0.8080203@gmail.com> References: <59988180.7020301@gmail.com> <c651aba9-8e5b-b193-1808-cef5b900cf27@tysdomain.com> <5998A270.9070907@gmail.com> <20170819225659.56c11983.freebsd@edvax.de> <599972E0.8080203@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 20 August 2017 at 14:30, Ernie Luzar <luzar722@gmail.com> wrote:
> Polytropon wrote:
>
>> On Sat, 19 Aug 2017 16:41:20 -0400, Ernie Luzar wrote:
>>
>>> On 8/19/2017 2:20 PM, Ernie Luzar wrote:
>>>>
>>>>> Hello list;
>>>>>
>>>>> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users
>>>>> are using their work PC's to access facebook during work.
>>>>>
>>>>> What method would recommend to block all facebook access?
>>>>>
>>>>> > Littlefield, Tyler wrote:
>>> > make your proxy just blacklist facebook.com and m.facebook.com?
>>> > Blocking it will just let them view it on their phones though, so
>>> > you're looking at a different issue altogether.
>>>
>>> Already blocking 15 facebook login ip address which can be added to or
>>> changes by FB anytime.
>>>
>>
>> Yes, that is one of the core problems: You do not have control
>> over Facebook's network configuration. :-)
>>
>> On the IP level, you can maintain a list of IPs to block. And
>> you could use resolver modification to do this for you, for
>> example when the IP for a certain Facebook service or page
>> changes, using the resolver its new IP will be added to the
>> block list. With this approach, you can block using both
>> numeric IPs and domain name strings (which of course resolve
>> to IPs, too).
>>
>> Maybe it would be a lot easier if you could just switch to
>> whitelisting - define the IPs _allowed_ for the users. This
>> will surely introduce new problems like "I cannot access a
>> web site which I need for work, please verify and whitelist",
>> which is something you cannot fully automate.
>>
>>
> I am unfamiliar with the "resolver modification" you speak of.
> Is this a function in ipfilter firewall?
> Where and how is this done?
>
>
I use dnsmasq+Bind+PF for this.
dnsmasq is set such that it listens on port 5353. It can be configured to
read /etc/hosts first before querying bind. What it doesn't find in
/etc/host, it asks BIND.
My pf.conf redirects all DNS queries to dnsmasq running on port 5353.
However, there are a few people I do not want to block. I assign their
machines a range of static IPs (based on their MAC addresses) and I allow
these IPs to access DNS directly via BIND:
# Bypass DNS restrictions for some users. Allow DNS requests to the local
BIND engine
rdr pass on $int_if inet proto udp from { 192.168.54.23/32,
192.168.54.24/32, 192.168.54.104/32, 192.168.54.6/32 } to port 53 \
-> 192.168.55.254 port 53
# Redirect all other DNS requests to the dnsmasq instance
rdr pass on $int_if inet proto udp from any to port 53 \
-> 192.168.55.254 port 5353
You can find the code for blocking Facebook hosts here ->
http://geekussion.com/windows/block-facebook-hosts-file-windows-pc-99/
Just add those entries to /etc/hosts after you have configured dnsmasq.
HTH
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAdA2WN5BH2o=2ej%2BVy=VpO5Z23N5xLqnLY_fkzbSjpU9o9awA>