Re: [gentoo-user] blocking facebook
With iptables you can use the next: iptables -I OUTPUT -m string --string 'facebook' --algo bm -j DROP iptables -I FORDWARD -m string --string 'facebook' --algo bm -j DROP And that is all. El sáb, 12-12-2015 a las 03:54 +, Willie M escribió: > If you use nat on iptables, it will also bypass it while using NAT. > Change the DNS server on virtualbox with doing something on dd-wrt it > will also bypass it. You have to keep dealing with it. There will > always be a way to bypass. > > On Fri, Dec 11, 2015, 7:38 PMwrote: > > On 12/11/2015 08:29 PM, Willie M wrote: > > > If that is the only website you want to block use /etc/hosts. > > Point it > > > towards your own computer. "127.0.0.1 facebook.com". > > > > That will work, but if they will use boot VirtualBox Windows it > > will > > by-pass that setting. > > > > -- > > Thelma > > > > > > > On Fri, Dec 11, 2015, 7:04 PM wrote: > > > > > >> Does anybody have an idea how to block facebook? > > >> > > >> I'm using dd-wrt. The "access restriction" can block http but > > not https > > >> and I'm not good in iptables :-/ > > >> In addition users are using VirtualBox on the network as well. > > > > > -- > > Willie Matthews > matthews.willi...@gmail.com > 702-659-9966
Re: [gentoo-user] blocking facebook
On 12/12/2015 05:03, the...@sys-concept.com wrote: > Does anybody have an idea how to block facebook? > > I'm using dd-wrt. The "access restriction" can block http but not https > and I'm not good in iptables :-/ > In addition users are using VirtualBox on the network as well. > When you eventually get this in place, what are you going to do when the marketing people want to update the company's own Facebook page? Blocking facebook (or any other social site) is an exercise in futility. You will never get it right without expending vast effort and as many others have said people will always find ways around it. Including using their personal phones while sitting at their desk. -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] blocking facebook
Am Freitag, 11. Dezember 2015, 20:03:14 schrieb the...@sys-concept.com: > Does anybody have an idea how to block facebook? > > I'm using dd-wrt. The "access restriction" can block http but not https > and I'm not good in iptables :-/ > In addition users are using VirtualBox on the network as well. You need to inspect the traffic on layer 7. The best way to acchieve this to add the deep packet inspection library to netfilter. Then you can filter specific websites. Or you use a proxy and filter the site. Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] blocking facebook
On Sat, 12 Dec 2015 01:29:20 -0500 waltd...@waltdnes.org wrote: > On Fri, Dec 11, 2015 at 08:03:14PM -0700, the...@sys-concept.com wrote > > Does anybody have an idea how to block facebook? > > > > I'm using dd-wrt. The "access restriction" can block http but not https > > and I'm not good in iptables :-/ > > In addition users are using VirtualBox on the network as well. > > An excerpt from my /var/lib/iptables/rules-save ruleset... > > [0:0] -A INPUT -s 31.13.24.0/21 -j FECESBOOK > [154:11168] -A INPUT -s 31.13.64.0/18 -j FECESBOOK > [0:0] -A INPUT -s 66.220.144.0/20 -j FECESBOOK > [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK > [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK > [0:0] -A INPUT -s 74.119.76.0/22 -j FECESBOOK > [0:0] -A INPUT -s 103.4.96.0/22 -j FECESBOOK > [0:0] -A INPUT -s 173.252.64.0/18 -j FECESBOOK > [0:0] -A INPUT -s 204.15.20.0/22 -j FECESBOOK > > [0:0] -A OUTPUT -d 31.13.24.0/21 -j FECESBOOK > [3763325:225839770] -A OUTPUT -d 31.13.64.0/18 -j FECESBOOK > [56:3360] -A OUTPUT -d 66.220.144.0/20 -j FECESBOOK > [0:0] -A OUTPUT -d 69.63.176.0/20 -j FECESBOOK > [874:52440] -A OUTPUT -d 69.171.224.0/19 -j FECESBOOK > [0:0] -A OUTPUT -d 74.119.76.0/22 -j FECESBOOK > [0:0] -A OUTPUT -d 103.4.96.0/22 -j FECESBOOK > [3306:198360] -A OUTPUT -d 173.252.64.0/18 -j FECESBOOK > [0:0] -A OUTPUT -d 204.15.20.0/22 -j FECESBOOK > > [3767715:226105098] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level > 6 > [3767715:226105098] -A FECESBOOK -j DROP +1. Just block their CIDR ranges. No need to do DPI like was suggested here. Of course smart users can use proxies or tunneling, so this is not 100% solution, but for the majority it will work. Just a tip here: use ipset hash:net for all this ranges and just a few iptables rules to check src and dst in FORWARD and/or INPUT/OUTPUT depending on whether host is router or target system, e.g. for dd-wrt will be sufficient: iptables -A FORWARD -m set --match-set facebook src -j DROP iptables -A FORWARD -m set --match-set facebook dst -j DROP A set can be created like this: ipset create facebook hash:net ipset add facebook 31.13.24.0/21 ... Of course logging may be enabled as above if desired. This way filtering will be much faster and blocklist may be updated without touching iptables rules. Gentoo init script support ipset rules save/load as well as iptables. Do not forget about ipv6 if it is enabled on your network. Best regards, Andrew Savchenko pgp4gZGYmgNxX.pgp Description: PGP signature
Re: [gentoo-user] blocking facebook
On 12/11/2015 08:29 PM, Willie M wrote: > If that is the only website you want to block use /etc/hosts. Point it > towards your own computer. "127.0.0.1 facebook.com". That will work, but if they will use boot VirtualBox Windows it will by-pass that setting. -- Thelma > On Fri, Dec 11, 2015, 7:04 PMwrote: > >> Does anybody have an idea how to block facebook? >> >> I'm using dd-wrt. The "access restriction" can block http but not https >> and I'm not good in iptables :-/ >> In addition users are using VirtualBox on the network as well.
Re: [gentoo-user] blocking facebook
I used to volunteer at the local high school. They would redirect both http and https through their content filter (I'm not sure how they worked around SSL warnings exactly - maybe just a wildcard certificate for *? I know it was signed by a CA they had generated and installed on every school computer). Other than that the best you can hope for is preventing DNS from resolving it. Add to dnsmasq options on your router "-A /facebook.com/fbcdn.net/". -A: Specify an IP address to return for any host in the given domains. Queries in the domains are never forwarded and always replied to with the specified IP address which may be IPv4 or IPv6. ... one or more domains with no address returns a no-such-domain answer, so --address=/example.com/ is equivalent to --server=/example.com/ and returns NXDOMAIN for example.com and all its subdomains. -John Sent from my phone Simon Thelenwrote: >On 15-12-11 at 20:03, the...@sys-concept.com wrote: >> Does anybody have an idea how to block facebook? >The only way to blacklist facebook would be to create a whitelist and >drop everything not on said whitelist. > >If you block DNS, they can use a different DNS server. If you block IP >addresses they'll use a proxy/vpn. If you use deep packet inspection >they'll use TLS or a VPN or an SSH tunnel. > >If you can control the systems so that they don't do any of the above, >it's possible but you've admitted that you can't (unless you can >control all the Virtualbox instances). > >-- >Simon Thelen >
Re: [gentoo-user] blocking facebook
On 15-12-12 at 05:05, Simon Thelen wrote: > On 15-12-11 at 20:03, the...@sys-concept.com wrote: > > Does anybody have an idea how to block facebook? > The only way to blacklist facebook would be to create a whitelist and > drop everything not on said whitelist. Oh, and even that's not easy. Finding and creating a whitelist that ensures necessary stuff gets done without allowing people to bypass blocks is almost impossible. Getting around these sorts of blocks isn't a matter of theoretical possibility, it's a matter of someone putting in enough time and effort into bypassing it. If you don't have complete control over all devices all the time, you might as well just give up. -- Simon Thelen
Re: [gentoo-user] blocking facebook
On Fri, Dec 11, 2015 at 08:03:14PM -0700, the...@sys-concept.com wrote > Does anybody have an idea how to block facebook? > > I'm using dd-wrt. The "access restriction" can block http but not https > and I'm not good in iptables :-/ > In addition users are using VirtualBox on the network as well. An excerpt from my /var/lib/iptables/rules-save ruleset... [0:0] -A INPUT -s 31.13.24.0/21 -j FECESBOOK [154:11168] -A INPUT -s 31.13.64.0/18 -j FECESBOOK [0:0] -A INPUT -s 66.220.144.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK [0:0] -A INPUT -s 74.119.76.0/22 -j FECESBOOK [0:0] -A INPUT -s 103.4.96.0/22 -j FECESBOOK [0:0] -A INPUT -s 173.252.64.0/18 -j FECESBOOK [0:0] -A INPUT -s 204.15.20.0/22 -j FECESBOOK [0:0] -A OUTPUT -d 31.13.24.0/21 -j FECESBOOK [3763325:225839770] -A OUTPUT -d 31.13.64.0/18 -j FECESBOOK [56:3360] -A OUTPUT -d 66.220.144.0/20 -j FECESBOOK [0:0] -A OUTPUT -d 69.63.176.0/20 -j FECESBOOK [874:52440] -A OUTPUT -d 69.171.224.0/19 -j FECESBOOK [0:0] -A OUTPUT -d 74.119.76.0/22 -j FECESBOOK [0:0] -A OUTPUT -d 103.4.96.0/22 -j FECESBOOK [3306:198360] -A OUTPUT -d 173.252.64.0/18 -j FECESBOOK [0:0] -A OUTPUT -d 204.15.20.0/22 -j FECESBOOK [3767715:226105098] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6 [3767715:226105098] -A FECESBOOK -j DROP It's OK to change the numbers in brackets to [0:0]. They represent the number of [packets:bytes] since the rule was last updated. Which block has the most traffic depends on which part of the planet you're on. Here in Toronto, Canada outbound traffic to the 31.13.64.0/18 block, specifically 31.13.80.3, is the most common hit. This comes from websites with Facebook beacons trying to track every man and his dog. You'll notice the occasional website with a small rectangle that says "...can't establish a connection to the server at...". Insert your browser's name at the left, and the website name (Facebook, ad.doubleclick.net, etc) at the right. -- Walter DnesI don't run "desktop environments"; I run useful applications
[gentoo-user] blocking facebook
Does anybody have an idea how to block facebook? I'm using dd-wrt. The "access restriction" can block http but not https and I'm not good in iptables :-/ In addition users are using VirtualBox on the network as well. -- Thelma
Re: [gentoo-user] blocking facebook
If that is the only website you want to block use /etc/hosts. Point it towards your own computer. "127.0.0.1 facebook.com". On Fri, Dec 11, 2015, 7:04 PMwrote: > Does anybody have an idea how to block facebook? > > I'm using dd-wrt. The "access restriction" can block http but not https > and I'm not good in iptables :-/ > In addition users are using VirtualBox on the network as well. > > -- > Thelma > > -- Willie Matthews matthews.willi...@gmail.com 702-659-9966
Re: [gentoo-user] blocking facebook
On 15-12-11 at 20:03, the...@sys-concept.com wrote: > Does anybody have an idea how to block facebook? The only way to blacklist facebook would be to create a whitelist and drop everything not on said whitelist. If you block DNS, they can use a different DNS server. If you block IP addresses they'll use a proxy/vpn. If you use deep packet inspection they'll use TLS or a VPN or an SSH tunnel. If you can control the systems so that they don't do any of the above, it's possible but you've admitted that you can't (unless you can control all the Virtualbox instances). -- Simon Thelen
Re: [gentoo-user] blocking facebook
On 12/11/2015 09:05 PM, Simon Thelen wrote: > On 15-12-11 at 20:03, the...@sys-concept.com wrote: >> Does anybody have an idea how to block facebook? > The only way to blacklist facebook would be to create a whitelist and > drop everything not on said whitelist. > > If you block DNS, they can use a different DNS server. If you block IP > addresses they'll use a proxy/vpn. If you use deep packet inspection > they'll use TLS or a VPN or an SSH tunnel. > > If you can control the systems so that they don't do any of the above, > it's possible but you've admitted that you can't (unless you can > control all the Virtualbox instances). The users are not that knowledgeable to do any of that DNS, proxy/vpn etc. I know VirtualBox IP address and can block the page "facebook" for individual IP or certain range in dd-wrt. But my problem is getting the dd-wrt "access control" to recognize and block "https". Trying to block by URL: https://www.facebook.com/ doesn't work. -- Thelma
Re: [gentoo-user] blocking facebook
the...@sys-concept.com wrote: > On 12/11/2015 09:05 PM, Simon Thelen wrote: >> On 15-12-11 at 20:03, the...@sys-concept.com wrote: >>> Does anybody have an idea how to block facebook? >> The only way to blacklist facebook would be to create a whitelist and >> drop everything not on said whitelist. >> >> If you block DNS, they can use a different DNS server. If you block IP >> addresses they'll use a proxy/vpn. If you use deep packet inspection >> they'll use TLS or a VPN or an SSH tunnel. >> >> If you can control the systems so that they don't do any of the above, >> it's possible but you've admitted that you can't (unless you can >> control all the Virtualbox instances). > The users are not that knowledgeable to do any of that DNS, proxy/vpn etc. > I know VirtualBox IP address and can block the page "facebook" for > individual IP or certain range in dd-wrt. But my problem is getting the > dd-wrt "access control" to recognize and block "https". > Trying to block by URL: https://www.facebook.com/ doesn't work. > > -- > Thelma > > > They may not now but I just did a quick search on startpage on how to unblock facebook and I got a ton of hits including videos on youtube. They may not know how right now but after you block it, they will shortly after. On the plus side, you may have some budding computer geeks coming along. Anyone else remember those parental control programs that rarely if ever worked? ROFL Most teens could get past those in seconds if not a minute or two. ;-) Dale :-) :-)
Re: [gentoo-user] blocking facebook
If you use nat on iptables, it will also bypass it while using NAT. Change the DNS server on virtualbox with doing something on dd-wrt it will also bypass it. You have to keep dealing with it. There will always be a way to bypass. On Fri, Dec 11, 2015, 7:38 PMwrote: > On 12/11/2015 08:29 PM, Willie M wrote: > > If that is the only website you want to block use /etc/hosts. Point it > > towards your own computer. "127.0.0.1 facebook.com". > > That will work, but if they will use boot VirtualBox Windows it will > by-pass that setting. > > -- > Thelma > > > > On Fri, Dec 11, 2015, 7:04 PM wrote: > > > >> Does anybody have an idea how to block facebook? > >> > >> I'm using dd-wrt. The "access restriction" can block http but not https > >> and I'm not good in iptables :-/ > >> In addition users are using VirtualBox on the network as well. > > -- Willie Matthews matthews.willi...@gmail.com 702-659-9966