On 16/12/2014 06:02, [email protected] wrote: > > > Alan McKinnon <[email protected]> [14-12-16 03:43]: >> On 15/12/2014 18:47, [email protected] wrote: >>> Hi, >>> >>> this question is not related to a fully fledged, >>> big local area network with DMZs and such. >>> >>> Even the word "firewall" seems to be a little too >>> "huge and mighty" in this context to me. >>> >>> "The network" consists of a PC, which is connected >>> to a FritzBox (cable, no Wifi/WLAN), which connects >>> to the ISP (internet) and (same adress range) to a >>> embedded system (eth1) >>> >>> There are two additional embedded systems, both on >>> a separate interface (eth over usb: usb0 & usb1). >>> >>> I want to block (DROP or REJECT) the access to certain >>> sites (the "noise" which is produced mostly by sites, >>> which all exclusively "only want my best": ads, trackers, analysts >>> and so on...) >>> >>> I tried different tools: fwbuilder, which locks up either itsself >>> or my rulesset...I had to reboot and Shorewall, which definitely >>> is a great tool....a little too great tool and much more capable >>> as I am... ;) >>> >>> I am sure that the problems are mostly not the problems of the >>> tools but mine. >>> >>> Is there any simple straight forward tool to just block accesses >>> to certain sites? >> >> >> >> to do it network-wide: squid >> >> to do it on a per-pc per-browser basis: there's a large variety of >> firefox plugins to chose from that will block this and allow that. It >> seems to me this is the better approach as you want to stop your browser >> chatting with sites who only have your best interest at heart :-) >> >> >> Either way, the list of black and white lists gets very big very quick, >> so chose your tool carefully. Try a bunch and pick one that makes sense >> to you, bonus points if it comes with a community-supported blacklist >> you can drop in, maintained by people whose POV matches your own. >> >> You don't want a classic firewall for this; firewalls are mostly built >> to block based on address and port, this is not how you solve your problem >> >> -- >> Alan McKinnon >> [email protected] >> > > Hi Alan, > > thanks for reply! :) > > actually the thing is: There is a plugin called "NoScript" which > constantly accesses secure.informaction.com, which is the author > of this plugin. > I tried a lot to block that access from inside firefox but did > not find a way to do so (read: _I_ did not find... ;) > > If you know a plugin for firefox which is able to block accesses > from all other plugins to certain sites of the internet I would > be happy to check that out.
I don't know of a plugin that specifically does that; I do know that there are Firefox plugins for just about anything you could imagine, that's why I made the suggestion > > I tried to block the accesses via iptable rules which DROP/REJECT > the name and the IP-address of that site...no chance. > > The IP has not changed of that site... > > Wireshark still reports traffic to and from that site and following > the TCP stream with wireshark shows, that the traffic has encrypted > contents. That indicates something wrong with your iptables rules. iptables works at the lowest level of the network stack (very little if anything can bypass it) and wireshark works by reading the network interface directly in promiscuous mode. The traffic you see probably doesn't have a iptables rule to catch it. There are 4 addresses for that domain name, did you incluce them all in the rule? # dig secure.informaction.com +short 82.103.140.42 82.103.140.40 69.195.141.179 69.195.141.178 > > The other access, which origin I haven't located exactly yet (its > origin is in firefox (a plugin I think), is to > s3-1.amazonaws.com. > I also want to block this. > > Please what is the plugin of the large variety of plugins, which is > able to block access of all other plugins to customer defined sites? As I said above, I don't track plugins too closely, so I don't know. But someone else on this list will, lots of knowledgeable people around here :-) -- Alan McKinnon [email protected]
