Agreed, you probably want to look into blocking all by default, opening up what you want to allow (even if it is just about everything else), forcing all web traffic through a transparent proxy. Consider squid with squidguard and a good set of blacklists. The blacklists are usually categorized, and with squidguard, you can choose which categories to block and which to allow. As an example, a pf rule that would force port 80 traffic through transparent squid running on port 3128 is:
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 - Dave On Fri, Aug 19, 2011 at 6:33 AM, Greg Hennessy <[email protected]>wrote: > > Recently it has come to our attention that bandwidth has become an issue > > with increased spotify usage throughout the company. Im looking for a way > > to block access to it in pf. the rule that i am trying is the following: > > > > table <spotify> { 78.31.8.0/22, 193.182.8.0/21 } > > block return in quick on $int_if proto tcp from 192.168.1.0/24 to > <spotify> > > port 4070 > > > > For whatever reason it showing that the rule is working but not really > > working. am i missing something? > > > > Yes, stop trying to plug a leak in a colander by using a match stick. > > Block by default by starting the policy with > > Block log all > > And only allow routed egress to the specific sites and services which are > directly related to a valid business requirement, > Run all browser traffic through a proxy server to categorise and inspect > the content, permitting internet access from the proxy to 80 and 443/tcp > only. > > > For a business that describes itself as 'advanced e-commerce' you guys > should know this already, this is not rocket science. > > With an open door flapping in the breeze as suggested above. If I was to > speculate, I would suggest that Spotify is the least problem you should > worry about right now. > > > > > > > > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "[email protected]" > > -- David Andrzejewski http://davidandrzejewski.me http://www.davidandrzejewski.com _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
