Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 26 Aug 2017 13:19:32 +0300
From:      Odhiambo Washington <odhiambo@gmail.com>
To:        Adam Vande More <amvandemore@gmail.com>
Cc:        Ernie Luzar <luzar722@gmail.com>,  "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject:   Re: How to block facebook access
Message-ID:  <CAAdA2WP02yEig7bgwCioh=X-8qTVcm0NRkp7BZh-uhQboq_0oQ@mail.gmail.com>
In-Reply-To: <CA%2BtpaK0fk%2BdtM5PJmv9j2XXnChP4M_9rPV7XC=OfsAFE_qam8Q@mail.gmail.com>
References:  <59988180.7020301@gmail.com> <CA%2BtpaK0fk%2BdtM5PJmv9j2XXnChP4M_9rPV7XC=OfsAFE_qam8Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 23 August 2017 at 03:08, Adam Vande More <amvandemore@gmail.com> wrote:

> On Sat, Aug 19, 2017 at 1:20 PM, Ernie Luzar <luzar722@gmail.com> wrote:
>
> > Hello list;
> >
> > Running 11.1 & ipfilter with LAN behind the gateway server. LAN users are
> > using their work PC's to access facebook during work.
> >
> > What method would recommend to block all facebook access?
> >
>
> Personally I would setup a transparent proxy eg squid and block it using
> that.  DNS solutions are too fragile and something like squid can generate
> comprehensive reports.
>
> --
> Adam
>

In line with the KISS (Keep It Simple Stupid) principle, I beg to differ
with you! Using Squid in transparent mode is not the easiest way to block
HTTPS traffic. Think about setting up ssl_bump and all those certificates
you have to import on all the computers so that the cert is 'trusted', and
the pain you have to go through with the different browsers. I have been
there and found it too much complex work.
I use dnsmasq+PF+BIND+DHCP (or unbound) to achieve this, but only that I
have to exempt some users from the blockage. If it was a blanket block, the
unbound REFUSE option is dandy - K.I.S.S - as detailed by Frank Shute.


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAdA2WP02yEig7bgwCioh=X-8qTVcm0NRkp7BZh-uhQboq_0oQ>