On 17:54, Tue, Dec 16, 2014 thegeezer <thegee...@thegeezer.net> wrote:
On 15/12/14 20:39, Alan McKinnon wrote: > On 15/12/2014 18:47, meino.cra...@gmx.de wrote: >> Hi, >> >> this question is not related to a fully fledged, >> big local area network with DMZs and such. >> >> Even the word "firewall" seems to be a little too >> "huge and mighty" in this context to me. >> >> "The network" consists of a PC, which is connected >> to a FritzBox (cable, no Wifi/WLAN), which connects >> to the ISP (internet) and (same adress range) to a >> embedded system (eth1) >> >> There are two additional embedded systems, both on >> a separate interface (eth over usb: usb0 & usb1). >> >> I want to block (DROP or REJECT) the access to certain >> sites (the "noise" which is produced mostly by sites, >> which all exclusively "only want my best": ads, trackers, analysts >> and so on...) >> >> I tried different tools: fwbuilder, which locks up either itsself >> or my rulesset...I had to reboot and Shorewall, which definitely >> is a great tool....a little too great tool and much more capable >> as I am... ;) >> >> I am sure that the problems are mostly not the problems of the >> tools but mine. >> >> Is there any simple straight forward tool to just block accesses >> to certain sites? > > > to do it network-wide: squid +1 and not in transparent mode either -- if you have a proxy server set then https traffic is filtered by domain name as it is part of the proxy connection request. squid + squidGuard / dansguardian is the way forward. for examle, in my "advertisers/tracking" database there are some 12 thousand domains listed. good luck adding those individually to iptables. the only other way to do things super paranoidly is by whitelisting i.e. on the router just keep adding ip and port to whitelist table for those you _want_ iptables -N whitelist iptables -A whitelist -d 8.8.8.8 -m udp --dport 53 -j ACCEPT iptables -A FORWARD -i LAN -o WAN -j whitelist iptables -A FORWARD -J REJECT this takes longer to "start" but is easier to maintain, as facebook for example are constantly buying ip ranges and adding them to their global domination, so you start by thinking you have blocked all 100 facebook ip addresses and then a month or two later discover they have another 200 you need to block > > to do it on a per-pc per-browser basis: there's a large variety of > firefox plugins to chose from that will block this and allow that. It > seems to me this is the better approach as you want to stop your browser > chatting with sites who only have your best interest at heart :-) > > > Either way, the list of black and white lists gets very big very quick, > so chose your tool carefully. Try a bunch and pick one that makes sense > to you, bonus points if it comes with a community-supported blacklist > you can drop in, maintained by people whose POV matches your own. > > You don't want a classic firewall for this; firewalls are mostly built > to block based on address and port, this is not how you solve your problem > You can automate the process by using 'dig' and 'ipset'. Create an ipset named "Fbook" of type hash:ip, then every 5 minutes run a script that does a lookup for facebook.com and add the found IP to the Fbook ipset. Rgds, --
