Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 20 Aug 2017 07:30:40 -0400
From:      Ernie Luzar <luzar722@gmail.com>
To:        Polytropon <freebsd@edvax.de>
Cc:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject:   Re: How to block facebook access
Message-ID:  <599972E0.8080203@gmail.com>
In-Reply-To: <20170819225659.56c11983.freebsd@edvax.de>
References:  <59988180.7020301@gmail.com>	<c651aba9-8e5b-b193-1808-cef5b900cf27@tysdomain.com>	<5998A270.9070907@gmail.com> <20170819225659.56c11983.freebsd@edvax.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
Polytropon wrote:
> On Sat, 19 Aug 2017 16:41:20 -0400, Ernie Luzar wrote:
>>> On 8/19/2017 2:20 PM, Ernie Luzar wrote:
>>>> Hello list;
>>>>
>>>> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users 
>>>> are using their work PC's to access facebook during work.
>>>>
>>>> What method would recommend to block all facebook access?
>>>>
>>  > Littlefield, Tyler wrote:
>>  > make your proxy just blacklist facebook.com and m.facebook.com?
>>  > Blocking it will just let them view it on their phones though, so
>>  > you're looking at a different issue altogether.
>>
>> Already blocking 15 facebook login ip address which can be added to or 
>> changes by FB anytime.
> 
> Yes, that is one of the core problems: You do not have control
> over Facebook's network configuration. :-)
> 
> On the IP level, you can maintain a list of IPs to block. And
> you could use resolver modification to do this for you, for
> example when the IP for a certain Facebook service or page
> changes, using the resolver its new IP will be added to the
> block list. With this approach, you can block using both
> numeric IPs and domain name strings (which of course resolve
> to IPs, too).
> 
> Maybe it would be a lot easier if you could just switch to
> whitelisting - define the IPs _allowed_ for the users. This
> will surely introduce new problems like "I cannot access a
> web site which I need for work, please verify and whitelist",
> which is something you cannot fully automate.
> 

I am unfamiliar with the "resolver modification" you speak of.
Is this a function in ipfilter firewall?
Where and how is this done?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?599972E0.8080203>