Re: Blocking facebook.com: PF or squid?
On Fri, Nov 01, 2013 at 09:16:33PM +0100, Stefan Wollny wrote:
In parallel I asked conformal for advice and got this answer:
### QUOTE ###
Adsuck no longer works on OpenBSD when using DHCP due to the removal of
the ability to overide the target /etc/resolv.conf.
### QUOTE END ###
This needs to be reported on ports@.
That's bullshit. Maybe not out of the box but it can work.
man resolv.conf (search for resolv.conf.tail) and learn how
to use dhclient.conf ('ignore domain-name-servers, domain-name;').
jirib
Re: Blocking facebook.com: PF or squid?
Am Sat, 19 Oct 2013 05:42:04 -0400 schrieb Eric Furman ericfur...@fastmail.net: Holy Jesus, nobody read this guys email. He is not an administrator trying to block users access to facebook, he just doesn't want facebook snooping him when he visits other websites. He has been given the right answer already. Adsuck will solve all of his problems. It will block facebook and any others he chooses. Hi Eric, Hi list! Your analysis is correct - but as neither hosts-file nor adblock worked as expected I came up with my questions regarding Blocking Facebook'. In parallel I asked conformal for advice and got this answer: ### QUOTE ### Adsuck no longer works on OpenBSD when using DHCP due to the removal of the ability to overide the target /etc/resolv.conf. ### QUOTE END ### This needs to be reported on ports@. Just for the records as I have received so much valuable advice on this issue: I have set up Squid and Privoxy by now. Both need some more fine-tuning (aka learning) but they seem to do what I expect: Protecting my home-network. Thanks again! Regards, STEFAN
Re: Blocking facebook.com: PF or squid?
On Fri, Oct 18, 2013 at 8:24 PM, Clint Pachl pa...@ecentryx.com wrote: Running your own own DNS resolver is the best solution to deny the whole network facebook access. With Unbound this is simple: # This will block facebook.com and all subdomains. local-zone: facebook.com redirect local-data: facebook.com A 127.0.0.1 I use: local-zone: facebook.com. refuse local-zone: fb.me. refuse Of course if the client system has secondary DNS servers configured AND has access to them Unbound's refusal wont help much. But that is simply stopped at the firewall (no outbound DNS except via the server). Using refuse vs redirect could also be useful if you want guests to be able to access the refused domains - have the DHCP server assign the guest pool a secondary public DNS and allow that pool to pass outbound DNS to the secondary servers. Chris
Re: Blocking facebook.com: PF or squid?
host file its good but does not stop web proxy's From: stefan.wol...@web.de To: misc@openbsd.org Subject: Re: Blocking facebook.com: PF or squid? Date: Mon, 21 Oct 2013 18:26:57 +0200 Hi Sico! Hi list! [stuff deleted for brevity] I am in a similar situation (squid at home) and I simply have a blacklist with lines like these: doubleclick facebook scorecardresearch Works like a charm for me, and no need to look up IP address blocks or anything like that. And since I am the only user here there's no collateral damage. ;-) Well: I am personally liable for what leaves my network so this kind of 'collateral damage' is what I intentionally try to achieve :-) (see the reply to myself a few minutes ago) Uhm, squid only filters incoming traffice... Doesn't this actually answer my original question: If only incoming traffic is filtered by squid stealth outflows towards FB is not catched by the proxy. Obviously then only PF serves my needs for a reason. May I ask a follow-up question: Did you set up the blacklist within squid.conf or did you reference to a separate file? A bit of both really, I use a seperate file and reference it in squid.conf: sico@siem2:~grep blacklist /etc/squid/squid.conf acl blacklist url_regex /etc/squid/blacklist.acl http_access deny blacklist sico@siem2:~ Thanks for this. This brings an idea to me: I will try this with the full list of 'nasty addresses' from http://winhelp2002.mvps.org/hosts.htm. Shouldn't this then have the same effect on all clients served by the squid-server as if I'd go around and update the individual hosts-files? The url_regex allows me to specify facebook instead of facebook.com etc. That is good to know! CU, Sico. Thanks again and have a nice week, STEFAN
Re: Blocking facebook.com: PF or squid?
Hi Sico! Hi list! [stuff deleted for brevity] I am in a similar situation (squid at home) and I simply have a blacklist with lines like these: doubleclick facebook scorecardresearch Works like a charm for me, and no need to look up IP address blocks or anything like that. And since I am the only user here there's no collateral damage. ;-) Well: I am personally liable for what leaves my network so this kind of 'collateral damage' is what I intentionally try to achieve :-) (see the reply to myself a few minutes ago) Uhm, squid only filters incoming traffice... Doesn't this actually answer my original question: If only incoming traffic is filtered by squid stealth outflows towards FB is not catched by the proxy. Obviously then only PF serves my needs for a reason. May I ask a follow-up question: Did you set up the blacklist within squid.conf or did you reference to a separate file? A bit of both really, I use a seperate file and reference it in squid.conf: sico@siem2:~grep blacklist /etc/squid/squid.conf acl blacklist url_regex /etc/squid/blacklist.acl http_access deny blacklist sico@siem2:~ Thanks for this. This brings an idea to me: I will try this with the full list of 'nasty addresses' from http://winhelp2002.mvps.org/hosts.htm. Shouldn't this then have the same effect on all clients served by the squid-server as if I'd go around and update the individual hosts-files? The url_regex allows me to specify facebook instead of facebook.com etc. That is good to know! CU, Sico. Thanks again and have a nice week, STEFAN
Re: Blocking facebook.com: PF or squid?
On Sun, Oct 20, 2013 at 01:04:01AM +0200, Stefan Wollny wrote: [stuff deleted for brevity] I am in a similar situation (squid at home) and I simply have a blacklist with lines like these: doubleclick facebook scorecardresearch Works like a charm for me, and no need to look up IP address blocks or anything like that. And since I am the only user here there's no collateral damage. ;-) Well: I am personally liable for what leaves my network so this kind of 'collateral damage' is what I intentionally try to achieve :-) (see the reply to myself a few minutes ago) Uhm, squid only filters incoming traffice... May I ask a follow-up question: Did you set up the blacklist within squid.conf or did you reference to a separate file? A bit of both really, I use a seperate file and reference it in squid.conf: sico@siem2:~grep blacklist /etc/squid/squid.conf acl blacklist url_regex /etc/squid/blacklist.acl http_access deny blacklist sico@siem2:~ The url_regex allows me to specify facebook instead of facebook.com etc. CU, Sico. --
Re: Blocking facebook.com: PF or squid?
Hello Stefan, at home, i blocked facebook by creating an empty DNS zone facebook.com on my local bind server. It works like a charm. -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le samedi 19 octobre 2013 à 00:27 +0200, Stefan Wollny a écrit : Hi there, having a personal dislike of Facebook (and the MeeToo-systems alike) for their impertinent sniffing for private data I tried on my laptop to block facebook.com via hosts-file. Interestingly this failed: Calling http://www.facebook.com; always resulted in a lookup for httpS://www.facebook.com and the respective site showed up in the browser (tried firefox and xombrero). Well: Beside excepting the fact that those facebook engineers did a fine job circumventing the entrys in /etc/hosts I felt immediatly insecure: The reports on this company's attitude towards even non-customers privacy are legendary. Their respective track record earns them the honorable title of NSA's fittest supporter... Anyway: I think I finally managed to block all their IPs via PF and on this laptop I now feel a little less 'observed'. [Yes, I know - this is just today's snapshot of IPs!] My question is on the squid-server I have running at home: What would make more sense - blocking facebook.com via pf.conf alike or are there reasons to use squid's ACL instead? Performance? Being ultra-paranoid and implementing both (or even additionally the hosts-file-block?)? From my understanding squid should not be able to block https-traffic as it is encrypted - or am I wrong here? Curious if there is a particular (Open)BSD solution or simply how you 'guys and gals' would do it. Thank you for sharing your thoughts. Cheers, STEFAN [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Blocking facebook.com: PF or squid?
On Sat, Oct 19, 2013 at 12:27:38AM +0200, Stefan Wollny wrote: Hi there, having a personal dislike of Facebook (and the MeeToo-systems alike) for their impertinent sniffing for private data I tried on my laptop to block facebook.com via hosts-file. snip My question is on the squid-server I have running at home: What would make more sense - blocking facebook.com via pf.conf alike or are there reasons to use squid's ACL instead? Performance? Being ultra-paranoid and implementing both (or even additionally the hosts-file-block?)? From my understanding squid should not be able to block https-traffic as it is encrypted - or am I wrong here? That is a misunderstanding, squid couldn't care less about encryption. Curious if there is a particular (Open)BSD solution or simply how you 'guys and gals' would do it. I am in a similar situation (squid at home) and I simply have a blacklist with lines like these: doubleclick facebook scorecardresearch Works like a charm for me, and no need to look up IP address blocks or anything like that. And since I am the only user here there's no collateral damage. ;-) Thank you for sharing your thoughts. Cheers, STEFAN CU, Sico. --
Re: Blocking facebook.com: PF or squid?
Holy Jesus, nobody read this guys email. He is not an administrator trying to block users access to facebook, he just doesn't want facebook snooping him when he visits other websites. He has been given the right answer already. Adsuck will solve all of his problems. It will block facebook and any others he chooses. On Sat, Oct 19, 2013, at 04:36 AM, Sico Bruins wrote: On Sat, Oct 19, 2013 at 12:27:38AM +0200, Stefan Wollny wrote: Hi there, having a personal dislike of Facebook (and the MeeToo-systems alike) for their impertinent sniffing for private data I tried on my laptop to block facebook.com via hosts-file. snip My question is on the squid-server I have running at home: What would make more sense - blocking facebook.com via pf.conf alike or are there reasons to use squid's ACL instead? Performance? Being ultra-paranoid and implementing both (or even additionally the hosts-file-block?)? From my understanding squid should not be able to block https-traffic as it is encrypted - or am I wrong here? That is a misunderstanding, squid couldn't care less about encryption. Curious if there is a particular (Open)BSD solution or simply how you 'guys and gals' would do it. I am in a similar situation (squid at home) and I simply have a blacklist with lines like these: doubleclick facebook scorecardresearch Works like a charm for me, and no need to look up IP address blocks or anything like that. And since I am the only user here there's no collateral damage. ;-) Thank you for sharing your thoughts. Cheers, STEFAN CU, Sico. --
Re: Blocking facebook.com: PF or squid?
On Sat, Oct 19, 2013 at 05:42:04AM -0400, Eric Furman wrote: Holy Jesus, nobody read this guys email. He is not an administrator trying to block users access to facebook, he just doesn't want facebook snooping him when he visits other websites. He has been given the right answer already. Adsuck will solve all of his problems. It will block facebook and any others he chooses. [stuff deleted for brevity] As usual I read the whole thread before even considering replying. Since I am in a similar situation (using squid as a Web proxy at home) and noone seemed to have anything to contribute about doing it with squid ACLs I thought I'd share my experiences with the same 'problem' as the OP has. Nice thing about unix is that there's usually more than one way to do things, and the OP indicated just that fact in the Subject line. You should have called my reply off-topic, I might have agreed and said sorry for it. ;-) [rest deleted for brevity] CU, Sico. --
Re: Blocking facebook.com: PF or squid?
On 2013-10-19 Sat 01:56 AM |, Stefan Wollny wrote: No, no: The squid is running on a regular server at home securing the PCs and the laptop once I am around. Maybe feed a modified version of this list to Squid (fb ad servers are in there, adjust to block the whole thing): http://pgl.yoyo.org/as/serverlist.php?hostformat=squid-dstdom-regexshowintro=0startdate[day]=startdate[month]=startdate[year]=mimetype=plaintext A Squid idea which I've been meaning to try with the above (needs mods: 'wget' should be 'ftp', should use /etc/rc.d/squid) I run squid chrooted, so further mods needed for that too. https://calomel.org/squid_adservers.html DNS ideas which I use to block some advertising other junk: http://www.deer-run.com/~hal/sysadmin/dns-advert.html http://www.holland-consulting.net/tech/imblock.html http://box.matto.nl/dnsadblok.html For my laptop when away from home, I've found the Firefox plugin 'Block site' works: https://addons.mozilla.org/En-us/firefox/addon/blocksite/ And another FX addon: http://adblockplus.org/
Re: Blocking facebook.com: PF or squid?
On 10/18/2013 at 8:41 PM Chris Cappuccio wrote: |i'd imagine that putting 'www.facebook.com' in your hosts file will do it, |unless the browser ignores /etc/hosts | |[snip] = Don't forget to also block fbcdn.com, fbcdn.net and fb.com
Re: Blocking facebook.com: PF or squid?
Am Sat, 19 Oct 2013 00:27:38 +0200 schrieb Stefan Wollny stefan.wol...@web.de: Hi there, having a personal dislike of Facebook (and the MeeToo-systems alike) for their impertinent sniffing for private data [ ... ] Hi there again! First I'd like to thank all who replied - I received way more valuable input than I dared to hope for! A big THANK YOU! As a matter of fact OpenBSD is at its core only an Operating System and based on the additionally provided ports and packages it is up to the users -us- what to do with this gift. Thus there are a plentitude of experiences and solutions. I hope that this thread might be useful for others as well as for the core of the problem -blocking facebook.com- good advice was provided. From what I have learned is that I must have made s.th. wrong when installing adsuck on the laptop as so many others reported that this should be sufficient. I will investigate what I might have done wrong. But from my point of view adsuck seems not to be the way to go for a server that only serves as squid-proxy. Or am I wrong here? One suggested way to go might be to set up an additional DNS-Server (what I have considered to do anyway). This should provide ultimate reliability if combined with chflags and securelevel=2. Correct? May I return to my initial question: Taken the situation that there is no other way to protect a network but by means of a single squid-server - what would be the best way to do it on _this_ system (OpenBSD, of course!)? Use squid, use PF or what? (Yes - I could change every hosts-file on every system attached to my network. But this is just a 'workaround', not an answer to the question.) The squid-server separates the home-network from the wild having just two clients: Incoming from the internet on one interface and the internal router on the other interface. No bells and whistles, PF can do it (I know now) and squid should be set up to do it as well (from what I know). The machine has enough power to handle either solution. (Actually as an intermediate solution I use a big Xeon-machine with OpenBSD-amd64, so no dmesg at this point - replacement in two days). For those interested: 'Incoming' is a WLAN-capable router (Fritz!box) that might be opened for guests if they need it. All internal clients are cabled. As the question arose, why I dare to hinder others to contact Facebook via my network (yes - I am legally liable and thus consider this to my _my_ network!): Within our family and friends I have persuaded everyone to distrust the so-called 'social networks' - since the revelations that lately have come up no-one smiles at me any more for being 'paranoid'... (hint: We live in Germany, there is a track record here of what might happen to innocently collected data - an experience, lucky nations have not equally had to make and thus lack solid distrust...!) This much for tonight - Sunday is exclusive for my son :-) Again: Thank you all for taking your time to read on and to those who relied! Regards, STEFAN Mit freundlichen Grüßen, STEFAN WOLLNY Regulatory Reporting Consultancy Tel.: +49 (0) 177 655 7875 Fax.: +49 (0) 3212 655 7875 Mail: ste...@wollny.de GnuPG-Key ID: 0x9C26F1D0
Re: Blocking facebook.com: PF or squid?
Am Sat, 19 Oct 2013 11:34:57 +0200 schrieb Loïc BLOT loic.b...@unix-experience.fr: Hi Loïc, thank you for sharing your experience. This solution has come up before and I think this is what I want to do. Follow-up question: You did this using bind? Again thank you and have a nice sunday! STEFAN
Re: Blocking facebook.com: PF or squid?
Am Sat, 19 Oct 2013 10:36:31 +0200 schrieb Sico Bruins r...@msh.xs4all.nl: On Sat, Oct 19, 2013 at 12:27:38AM +0200, Stefan Wollny wrote: Hi there, Hi Sico! having a personal dislike of Facebook (and the MeeToo-systems alike) for their impertinent sniffing for private data I tried on my laptop to block facebook.com via hosts-file. snip My question is on the squid-server I have running at home: What would make more sense - blocking facebook.com via pf.conf alike or are there reasons to use squid's ACL instead? Performance? Being ultra-paranoid and implementing both (or even additionally the hosts-file-block?)? From my understanding squid should not be able to block https-traffic as it is encrypted - or am I wrong here? That is a misunderstanding, squid couldn't care less about encryption. Thank you for pointing this out - obviously I was on a wrong track. Curious if there is a particular (Open)BSD solution or simply how you 'guys and gals' would do it. I am in a similar situation (squid at home) and I simply have a blacklist with lines like these: doubleclick facebook scorecardresearch Works like a charm for me, and no need to look up IP address blocks or anything like that. And since I am the only user here there's no collateral damage. ;-) Well: I am personally liable for what leaves my network so this kind of 'collateral damage' is what I intentionally try to achieve :-) (see the reply to myself a few minutes ago) May I ask a follow-up question: Did you set up the blacklist within squid.conf or did you reference to a separate file? Thank you for sharing your thoughts. Cheers, STEFAN CU, Sico. A big THANK YOU and have a nice sunday! STEFAN Mit freundlichen Grüßen, STEFAN WOLLNY Regulatory Reporting Consultancy Tel.: +49 (0) 177 655 7875 Fax.: +49 (0) 3212 655 7875 Mail: ste...@wollny.de GnuPG-Key ID: 0x9C26F1D0
Re: Blocking facebook.com: PF or squid?
Am Sat, 19 Oct 2013 05:42:04 -0400 schrieb Eric Furman ericfur...@fastmail.net: Holy Jesus, nobody read this guys email. He is not an administrator trying to block users access to facebook, he just doesn't want facebook snooping him when he visits other websites. He has been given the right answer already. Adsuck will solve all of his problems. It will block facebook and any others he chooses. Hi Eric, you have described my situation precisely: Within our family I am the only one who has the basic understanding of the implications of the why and how to block 'facebook.com'. It just didn't work on the laptop as expected what most likely is due to a mistake I made. :-( Taken that I figure out how to set up adsuck on my laptop this will solve the issue of securing the laptop - but will this be the right way to go on the squid-server? If this is another possibility to block 'facebook.com' I feel even more insecure what might be the best way to do it, now that there are three possible ways to do it (isn't OpenBSD just marvelous?)??? From what I have understood of how adsuck operates this might not the ideal solution here - correct? Anyway: Thank you for taking your time to contribute and help with your experience! Have a nice Sunday! Regards, STEFAN Mit freundlichen Grüßen, STEFAN WOLLNY Regulatory Reporting Consultancy Tel.: +49 (0) 177 655 7875 Fax.: +49 (0) 3212 655 7875 Mail: ste...@wollny.de GnuPG-Key ID: 0x9C26F1D0
Re: Blocking facebook.com: PF or squid?
Am Sat, 19 Oct 2013 09:47:07 -0400 schrieb Mike. the.li...@mgm51.com: On 10/18/2013 at 8:41 PM Chris Cappuccio wrote: |i'd imagine that putting 'www.facebook.com' in your hosts file will do it, |unless the browser ignores /etc/hosts | |[snip] = Don't forget to also block fbcdn.com, fbcdn.net and fb.com Hi Mike, I have already fbcdn.com and fbcdn.net: I will have to add fb.com! Thank you for providing this advice! Have a nice Sunday! Regards, STEFAN Mit freundlichen Grüßen, STEFAN WOLLNY Regulatory Reporting Consultancy Tel.: +49 (0) 177 655 7875 Fax.: +49 (0) 3212 655 7875 Mail: ste...@wollny.de GnuPG-Key ID: 0x9C26F1D0
Re: Blocking facebook.com: PF or squid?
Am Fri, 18 Oct 2013 17:24:52 -0700 schrieb Clint Pachl pa...@ecentryx.com: Hi Clint! mia wrote, On 10/18/13 16:33: If you're handling DHCP for all of the traffic for your site, why not just set up a dns server, point your dhcp clients to this DNS server and create an authoritative zone for facebook.com that points to somewhere other than facebook? Running your own own DNS resolver is the best solution to deny the whole network facebook access. With Unbound this is simple: # This will block facebook.com and all subdomains. local-zone: facebook.com redirect local-data: facebook.com A 127.0.0.1 Being just a 'Joe Average'-user I haven't found the time to investigate if unbound is a gain for me. But I take your advice as a request to myself that I should get my priorities right... setting up a separate DNS-server is a possible way to go anyway. The more savvy users could get around this altering their dns servers manually which you can stop blocking DNS traffic out of your network, this has the added bonus of cutting down bandwidth out of your network. Exactly! Yep - I can only salute to your experiences and insight of 'real' networks. But for me this is 'only' a family affair of mostly grown-ups: If my kids feel I am too restrictive they come up with reasonable suggestions (I know they are really special!). I don't want them to avoid FB as they receive necessary infos of their universities: I just want to prevent FB to get into touch with my net and our private data! BIG difference! If they get really sneaky and try to put host entries in for facebook, you can do as you've been doing, blocking IPs, and maybe creat a script that does an hourly lookup of all facebook IPs and having it update your pf config and then reloading pf. If it gets to this point, I'd say they should lose their network privileges. ;-) Next thing you know they will be using a proxy server to circumvent your IP block. There's always a way around. You're right - if anyone of my family _really_ wants to connect to FB I will not be able to prevent it. This is why I try to persuade them of MY reservations towards any 'social network' and the news lately were really supportive... :-) Lucky me that they trust me to find a solution to THEIR requirements as they have understood why I need to provide a certain level of confidentiality towards my customers. Anyway: A big THANK YOU to you too for sharing your experience! Have a nice Sunday! Regards, STEFAN Mit freundlichen Grüßen, STEFAN WOLLNY Regulatory Reporting Consultancy Tel.: +49 (0) 177 655 7875 Fax.: +49 (0) 3212 655 7875 Mail: ste...@wollny.de GnuPG-Key ID: 0x9C26F1D0
Re: Blocking facebook.com: PF or squid?
Am Sat, 19 Oct 2013 13:03:56 +0100 schrieb skin...@britvault.co.uk (Craig R. Skinner): On 2013-10-19 Sat 01:56 AM |, Stefan Wollny wrote: No, no: The squid is running on a regular server at home securing the PCs and the laptop once I am around. Maybe feed a modified version of this list to Squid (fb ad servers are in there, adjust to block the whole thing): http://pgl.yoyo.org/as/serverlist.php?hostformat=squid-dstdom-regexshowintro=0startdate[day]=startdate[month]=startdate[year]=mimetype=plaintext A Squid idea which I've been meaning to try with the above (needs mods: 'wget' should be 'ftp', should use /etc/rc.d/squid) I run squid chrooted, so further mods needed for that too. https://calomel.org/squid_adservers.html DNS ideas which I use to block some advertising other junk: http://www.deer-run.com/~hal/sysadmin/dns-advert.html http://www.holland-consulting.net/tech/imblock.html http://box.matto.nl/dnsadblok.html For my laptop when away from home, I've found the Firefox plugin 'Block site' works: https://addons.mozilla.org/En-us/firefox/addon/blocksite/ And another FX addon: http://adblockplus.org/ Hi Craig, beside 'calomel.org' being constantly a subject to objections on this list (I am not educated on the respective matters to judge - PLEASE: No remarks on this thread!) I'd like to thank you for sharing those links. I have adblockplus already set up in Firefox - but what to do when using xombrero? But for my original question the other links you shared are worth a read. Thank you for taking your time to look up the links and share with the list! Have a nice Sunday! Regards, STEFAN Mit freundlichen Grüßen, STEFAN WOLLNY Regulatory Reporting Consultancy Tel.: +49 (0) 177 655 7875 Fax.: +49 (0) 3212 655 7875 Mail: ste...@wollny.de GnuPG-Key ID: 0x9C26F1D0
Re: Blocking facebook.com: PF or squid?
Am Fri, 18 Oct 2013 21:20:16 -0400 schrieb Mike. the.li...@mgm51.com: On 10/19/2013 at 12:27 AM Stefan Wollny wrote: |Hi there, |[snip] | |My question is on the squid-server I have running at home: What |would make more sense - blocking facebook.com via pf.conf alike or are |there reasons to use squid's ACL instead? Performance? Being |ultra-paranoid and implementing both (or even additionally the |hosts-file-block?)? From my understanding squid should not be able to |block https-traffic as it is encrypted - or am I wrong here? | |Curious if there is a particular (Open)BSD solution or simply how you |'guys and gals' would do it. = I put privoxy between the browser and squid on my home network. The privoxy mailing list has discussion about blocking facebook. Additionally, if you're running firefox, look to see if the ghostery plug-in would work for you. Hi Mike, good to remind me of privoxy: I had it running in the past but that particular machine went 'out of service' and was never replaced as I thought squid to be sufficient for my need. If I remember right it was due to my perception that privoxy is kind of a resource-hog... Interestingly I have ghostery added to firefox. Still with firefox 'facebook.com' was handed over to the https-connection disregarding what I have set up in /var/adsuck/hosts.small: 127.0.0.1 facebook.com 127.0.0.1 www.facebook.com But as I have pointed out already this might be because I did s.th. wrong when setting up adsuck. Thank you for pointing to those two ways to go! Have a nice Sunday! Regards, STEFAN Mit freundlichen Grüßen, STEFAN WOLLNY Regulatory Reporting Consultancy Tel.: +49 (0) 177 655 7875 Fax.: +49 (0) 3212 655 7875 Mail: ste...@wollny.de GnuPG-Key ID: 0x9C26F1D0
Blocking facebook.com: PF or squid?
Hi there, having a personal dislike of Facebook (and the MeeToo-systems alike) for their impertinent sniffing for private data I tried on my laptop to block facebook.com via hosts-file. Interestingly this failed: Calling http://www.facebook.com; always resulted in a lookup for httpS://www.facebook.com and the respective site showed up in the browser (tried firefox and xombrero). Well: Beside excepting the fact that those facebook engineers did a fine job circumventing the entrys in /etc/hosts I felt immediatly insecure: The reports on this company's attitude towards even non-customers privacy are legendary. Their respective track record earns them the honorable title of NSA's fittest supporter... Anyway: I think I finally managed to block all their IPs via PF and on this laptop I now feel a little less 'observed'. [Yes, I know - this is just today's snapshot of IPs!] My question is on the squid-server I have running at home: What would make more sense - blocking facebook.com via pf.conf alike or are there reasons to use squid's ACL instead? Performance? Being ultra-paranoid and implementing both (or even additionally the hosts-file-block?)? From my understanding squid should not be able to block https-traffic as it is encrypted - or am I wrong here? Curious if there is a particular (Open)BSD solution or simply how you 'guys and gals' would do it. Thank you for sharing your thoughts. Cheers, STEFAN
Re: Blocking facebook.com: PF or squid?
Regards, The way it gets blocked (but not all for a wise kid) properly is via CDIR and block DNS via OpenDNS services Greetings. 2013/10/18 Stefan Wollny stefan.wol...@web.de Hi there, having a personal dislike of Facebook (and the MeeToo-systems alike) for their impertinent sniffing for private data I tried on my laptop to block facebook.com via hosts-file. Interestingly this failed: Calling http://www.facebook.com; always resulted in a lookup for httpS://www.facebook.com and the respective site showed up in the browser (tried firefox and xombrero). Well: Beside excepting the fact that those facebook engineers did a fine job circumventing the entrys in /etc/hosts I felt immediatly insecure: The reports on this company's attitude towards even non-customers privacy are legendary. Their respective track record earns them the honorable title of NSA's fittest supporter... Anyway: I think I finally managed to block all their IPs via PF and on this laptop I now feel a little less 'observed'. [Yes, I know - this is just today's snapshot of IPs!] My question is on the squid-server I have running at home: What would make more sense - blocking facebook.com via pf.conf alike or are there reasons to use squid's ACL instead? Performance? Being ultra-paranoid and implementing both (or even additionally the hosts-file-block?)? From my understanding squid should not be able to block https-traffic as it is encrypted - or am I wrong here? Curious if there is a particular (Open)BSD solution or simply how you 'guys and gals' would do it. Thank you for sharing your thoughts. Cheers, STEFAN -- Atentamente Andrés Genovez Tobar / DTIT Perfil profesional http://lnkd.in/gcdhJE
Re: Blocking facebook.com: PF or squid?
On Sat, 19 Oct 2013, Stefan Wollny wrote: Hi there, having a personal dislike of Facebook (and the MeeToo-systems alike) for their impertinent sniffing for private data I tried on my laptop to block facebook.com via hosts-file. Interestingly this failed: Calling http://www.facebook.com; always resulted in a lookup for httpS://www.facebook.com and the respective site showed up in the browser (tried firefox and xombrero). ... Curious if there is a particular (Open)BSD solution or simply how you 'guys and gals' would do it. Thank you for sharing your thoughts. One possibilty off the top of my head would be to log all DNS requests to syslog and then use syslogc to get a live running stream of DNS requests from a syslog memory buffer. Then whenever you see a DNS request for anything to do with facebook, add the ip address of the requestor to a pf table and block their web browsing. After about three to five minutes, remove the ip address from the table. If every time they try to access facebook, their web browser quits working for a few minutes they might get the message. Eric
Re: Blocking facebook.com: PF or squid?
On 19 October 2013 00:27, Stefan Wollny stefan.wol...@web.de wrote: Hi there, having a personal dislike of Facebook (and the MeeToo-systems alike) for their impertinent sniffing for private data I tried on my laptop to block facebook.com via hosts-file. Interestingly this failed: Calling http://www.facebook.com; always resulted in a lookup for httpS://www.facebook.com and the respective site showed up in the browser (tried firefox and xombrero). Well: Beside excepting the fact that those facebook engineers did a fine job circumventing the entrys in /etc/hosts I felt immediatly insecure: The reports on this company's attitude towards even non-customers privacy are legendary. Their respective track record earns them the honorable title of NSA's fittest supporter... Anyway: I think I finally managed to block all their IPs via PF and on this laptop I now feel a little less 'observed'. [Yes, I know - this is just today's snapshot of IPs!] Did you block individual IPs or complete subnets ? Performing DNS resolution on facebook.com and fbcdn.net yields the 173.252.64.0/18 subnet. Blocking it is one additional PF rule or just updating a table of already blocked subnets / IPs. My question is on the squid-server I have running at home: What would make more sense - blocking facebook.com via pf.conf alike or are there reasons to use squid's ACL instead? Performance? Being ultra-paranoid and implementing both (or even additionally the hosts-file-block?)? From my understanding squid should not be able to block https-traffic as it is encrypted - or am I wrong here? Curious if there is a particular (Open)BSD solution or simply how you 'guys and gals' would do it. Having squid running on your laptop just to block facebook is way overkill IMHO. Rather than populating (polluting?) your hosts file, I think using adsuck[1] would be simpler get you similar results, especially if you don't want to use an external service such as OpenDNS. It is available as a OpenBSD package, and it's easily configured to block more than just facebook. Marios [1] https://opensource.conformal.com/wiki/adsuck Thank you for sharing your thoughts. Cheers, STEFAN
Re: Blocking facebook.com: PF or squid?
Hi Andres, yes - I have read about OpenDNS' services and that many out there are really happy with them. But I try to do my homework first before relying on s.o. else: I _do_ have this OpenBSD-based squid-server - why not use it to it's full potential? Might not be a big deal traffic-wise, but it adds up... Anyway - thank you for sharing. Regards, STEFAN Am Fri, 18 Oct 2013 17:42:31 -0500 schrieb Andres Genovez andresgeno...@gmail.com: Regards, The way it gets blocked (but not all for a wise kid) properly is via CDIR and block DNS via OpenDNS services Greetings. 2013/10/18 Stefan Wollny stefan.wol...@web.de Hi there, having a personal dislike of Facebook (and the MeeToo-systems alike) for their impertinent sniffing for private data I tried on my laptop to block facebook.com via hosts-file. Interestingly this failed: Calling http://www.facebook.com; always resulted in a lookup for httpS://www.facebook.com and the respective site showed up in the browser (tried firefox and xombrero). Well: Beside excepting the fact that those facebook engineers did a fine job circumventing the entrys in /etc/hosts I felt immediatly insecure: The reports on this company's attitude towards even non-customers privacy are legendary. Their respective track record earns them the honorable title of NSA's fittest supporter... Anyway: I think I finally managed to block all their IPs via PF and on this laptop I now feel a little less 'observed'. [Yes, I know - this is just today's snapshot of IPs!] My question is on the squid-server I have running at home: What would make more sense - blocking facebook.com via pf.conf alike or are there reasons to use squid's ACL instead? Performance? Being ultra-paranoid and implementing both (or even additionally the hosts-file-block?)? From my understanding squid should not be able to block https-traffic as it is encrypted - or am I wrong here? Curious if there is a particular (Open)BSD solution or simply how you 'guys and gals' would do it. Thank you for sharing your thoughts. Cheers, STEFAN -- Atentamente Andrés Genovez Tobar / DTIT Perfil profesional http://lnkd.in/gcdhJE Mit freundlichen Grüßen, STEFAN WOLLNY Regulatory Reporting Consultancy Tel.: +49 (0) 177 655 7875 Fax.: +49 (0) 3212 655 7875 Mail: ste...@wollny.de GnuPG-Key ID: 0x9C26F1D0
Re: Blocking facebook.com: PF or squid?
On 10/18/13 18:27, Stefan Wollny wrote: Hi there, having a personal dislike of Facebook (and the MeeToo-systems alike) for their impertinent sniffing for private data I tried on my laptop to block facebook.com via hosts-file. Interestingly this failed: Calling http://www.facebook.com; always resulted in a lookup for httpS://www.facebook.com and the respective site showed up in the browser (tried firefox and xombrero). Well: Beside excepting the fact that those facebook engineers did a fine job circumventing the entrys in /etc/hosts I felt immediatly insecure: The reports on this company's attitude towards even non-customers privacy are legendary. Their respective track record earns them the honorable title of NSA's fittest supporter... Anyway: I think I finally managed to block all their IPs via PF and on this laptop I now feel a little less 'observed'. [Yes, I know - this is just today's snapshot of IPs!] My question is on the squid-server I have running at home: What would make more sense - blocking facebook.com via pf.conf alike or are there reasons to use squid's ACL instead? Performance? Being ultra-paranoid and implementing both (or even additionally the hosts-file-block?)? From my understanding squid should not be able to block https-traffic as it is encrypted - or am I wrong here? Curious if there is a particular (Open)BSD solution or simply how you 'guys and gals' would do it. Thank you for sharing your thoughts. Cheers, STEFAN If you use dhclient on your laptop, I think you need to make sure to specify lookup file bind (the search order) to have the hosts file checked before DNS server. ie- in resolv.conf.tail bind file is the default. So then you can add 127.0.0.1 facebook.com to the host file.
Re: Blocking facebook.com: PF or squid?
Am Fri, 18 Oct 2013 19:21:44 -0400 schrieb Brian McCafferty br...@mccafferty.ca: [ ... ] If you use dhclient on your laptop, I think you need to make sure to specify lookup file bind (the search order) to have the hosts file checked before DNS server. ie- in resolv.conf.tail bind file is the default. So then you can add 127.0.0.1 facebook.com to the host file. Hi Brian, good point - I had resolv.conf.tail disabled when setting up adsuck on the laptop. Will test this tomorrow. Still the question is: As the squid-server at home is dedicated to be just a proxy I am not shure if adsuck is the right tool on this machine. Prior to trying my luck with adsuck on the laptop I had only the entries for facebook in the hosts-file - with no effect. This is why I am about to either use pf.conf on the server as well or a squid-ACL. Thank you for joining the discussion. Regards, STEFAN Mit freundlichen Grüßen, STEFAN WOLLNY Regulatory Reporting Consultancy Tel.: +49 (0) 177 655 7875 Fax.: +49 (0) 3212 655 7875 Mail: ste...@wollny.de GnuPG-Key ID: 0x9C26F1D0
Re: Blocking facebook.com: PF or squid?
Am Fri, 18 Oct 2013 19:33:11 -0400 schrieb mia kmiy...@comcast.net: [ ... ] If you're handling DHCP for all of the traffic for your site, why not just set up a dns server, point your dhcp clients to this DNS server and create an authoritative zone for facebook.com that points to somewhere other than facebook? That's traditionally how I block traffic from our network from our users trying to go to places other than where I wish them to. The more savvy users could get around this altering their dns servers manually which you can stop blocking DNS traffic out of your network, this has the added bonus of cutting down bandwidth out of your network. If they get really sneaky and try to put host entries in for facebook, you can do as you've been doing, blocking IPs, and maybe creat a script that does an hourly lookup of all facebook IPs and having it update your pf config and then reloading pf. Aaron Hi Aaron, this might be an other way to go. I haven't thought about this yet. The squid-server has enough power to handle this as well (or I reactivate an old laptop). There are at present only two other users left who are not experienced enough to fiddle with the DNS (at least not yet ;-) ). And other family members who show up occasionally get FB-access via WLAN on their smartphones - my prime issue are stealth-connects to FB I try to prevent. If a guest just can't live without FB I'd rather pull another cable to the router and have effectively a 'demilitarized zone' for them than expose the rest of the family to the wild. Anyway: Thank you for sharing your ideas! Regards, STEFAN
Re: Blocking facebook.com: PF or squid?
Am Sat, 19 Oct 2013 01:02:58 +0200 schrieb Marios Makassikis mmakassi...@gmail.com: Hi Marios! [ ... ] Anyway: I think I finally managed to block all their IPs via PF and on this laptop I now feel a little less 'observed'. [Yes, I know - this is just today's snapshot of IPs!] Did you block individual IPs or complete subnets ? I used whois -h whois.radb.net '!gAS32934' to collect the subnets first and put those into /etc/facebook. My pf.conf has this: ~~ QUOTE ~ table facebook persist file /etc/facebook block log quick on $ExtIF from facebook to any block log quick on $ExtIF from any to facebook QUOTE END ~~~ logging is just for some time to investigate if this makes sense at all... Performing DNS resolution on facebook.com and fbcdn.net yields the 173.252.64.0/18 subnet. Blocking it is one additional PF rule or just updating a table of already blocked subnets / IPs. My question is on the squid-server I have running at home: What would make more sense - blocking facebook.com via pf.conf alike or are there reasons to use squid's ACL instead? Performance? Being ultra-paranoid and implementing both (or even additionally the hosts-file-block?)? From my understanding squid should not be able to block https-traffic as it is encrypted - or am I wrong here? Curious if there is a particular (Open)BSD solution or simply how you 'guys and gals' would do it. Having squid running on your laptop just to block facebook is way overkill IMHO. No, no: The squid is running on a regular server at home securing the PCs and the laptop once I am around. Rather than populating (polluting?) your hosts file, I think using adsuck[1] would be simpler get you similar results, especially if you don't want to use an external service such as OpenDNS. Actually I startet with adsuck when I noticed that facebook manages to circumvent entries in /etc/hosts. I might have done s.th. wrong but on my laptop any lookup for facebook.com got redirected to 'https' and those lines in /var/adsuck/hosts.small had no effect: # [Facebook] 127.0.0.1 fbstatic-a.akamaihd.net 127.0.0.1 fbcdn-dragon-a.akamaihd.net 127.0.0.1 facebook.com 127.0.0.1 www.facebook.com 127.0.0.1 facebook.de 127.0.0.1 de-de.facebook.com It is available as a OpenBSD package, and it's easily configured to block more than just facebook. This is what I had expected. Marios [1] https://opensource.conformal.com/wiki/adsuck Thanks a lot for your time to reply! Regards, STEFAN
Re: Blocking facebook.com: PF or squid?
On 10/18/13 18:27, Stefan Wollny wrote: Hi there, having a personal dislike of Facebook (and the MeeToo-systems alike) for their impertinent sniffing for private data I tried on my laptop to block facebook.com via hosts-file. Interestingly this failed: Calling http://www.facebook.com; always resulted in a lookup for httpS://www.facebook.com and the respective site showed up in the browser (tried firefox and xombrero). Well: Beside excepting the fact that those facebook engineers did a fine job circumventing the entrys in /etc/hosts I felt immediatly insecure: The reports on this company's attitude towards even non-customers privacy are legendary. Their respective track record earns them the honorable title of NSA's fittest supporter... Anyway: I think I finally managed to block all their IPs via PF and on this laptop I now feel a little less 'observed'. [Yes, I know - this is just today's snapshot of IPs!] My question is on the squid-server I have running at home: What would make more sense - blocking facebook.com via pf.conf alike or are there reasons to use squid's ACL instead? Performance? Being ultra-paranoid and implementing both (or even additionally the hosts-file-block?)? From my understanding squid should not be able to block https-traffic as it is encrypted - or am I wrong here? Curious if there is a particular (Open)BSD solution or simply how you 'guys and gals' would do it. Thank you for sharing your thoughts. Cheers, STEFAN If you're handling DHCP for all of the traffic for your site, why not just set up a dns server, point your dhcp clients to this DNS server and create an authoritative zone for facebook.com that points to somewhere other than facebook? That's traditionally how I block traffic from our network from our users trying to go to places other than where I wish them to. The more savvy users could get around this altering their dns servers manually which you can stop blocking DNS traffic out of your network, this has the added bonus of cutting down bandwidth out of your network. If they get really sneaky and try to put host entries in for facebook, you can do as you've been doing, blocking IPs, and maybe creat a script that does an hourly lookup of all facebook IPs and having it update your pf config and then reloading pf. Aaron
Re: Blocking facebook.com: PF or squid?
Am Fri, 18 Oct 2013 18:02:55 -0500 (CDT) schrieb Eric Johnson eri...@mathlab.gruver.net: On Sat, 19 Oct 2013, Stefan Wollny wrote: Hi there, having a personal dislike of Facebook (and the MeeToo-systems alike) for their impertinent sniffing for private data I tried on my laptop to block facebook.com via hosts-file. Interestingly this failed: Calling http://www.facebook.com; always resulted in a lookup for httpS://www.facebook.com and the respective site showed up in the browser (tried firefox and xombrero). ... Curious if there is a particular (Open)BSD solution or simply how you 'guys and gals' would do it. Thank you for sharing your thoughts. One possibilty off the top of my head would be to log all DNS requests to syslog and then use syslogc to get a live running stream of DNS requests from a syslog memory buffer. Then whenever you see a DNS request for anything to do with facebook, add the ip address of the requestor to a pf table and block their web browsing. After about three to five minutes, remove the ip address from the table. If every time they try to access facebook, their web browser quits working for a few minutes they might get the message. Eric Hi Eric, sounds pretty nifty to me - this is s.th. I might use at another site next year. But for my home-network probably a little oversized (though a good learning exercise :-) ). Anyway: Thank you for sharing! Regards, STEFAN Mit freundlichen Grüßen, STEFAN WOLLNY Regulatory Reporting Consultancy Tel.: +49 (0) 177 655 7875 Fax.: +49 (0) 3212 655 7875 Mail: ste...@wollny.de GnuPG-Key ID: 0x9C26F1D0
Re: Blocking facebook.com: PF or squid?
mia wrote, On 10/18/13 16:33: If you're handling DHCP for all of the traffic for your site, why not just set up a dns server, point your dhcp clients to this DNS server and create an authoritative zone for facebook.com that points to somewhere other than facebook? Running your own own DNS resolver is the best solution to deny the whole network facebook access. With Unbound this is simple: # This will block facebook.com and all subdomains. local-zone: facebook.com redirect local-data: facebook.com A 127.0.0.1 The more savvy users could get around this altering their dns servers manually which you can stop blocking DNS traffic out of your network, this has the added bonus of cutting down bandwidth out of your network. Exactly! If they get really sneaky and try to put host entries in for facebook, you can do as you've been doing, blocking IPs, and maybe creat a script that does an hourly lookup of all facebook IPs and having it update your pf config and then reloading pf. If it gets to this point, I'd say they should lose their network privileges. ;-) Next thing you know they will be using a proxy server to circumvent your IP block. There's always a way around.
Re: Blocking facebook.com: PF or squid?
On 10/19/2013 at 12:27 AM Stefan Wollny wrote: |Hi there, |[snip] | |My question is on the squid-server I have running at home: What |would make more sense - blocking facebook.com via pf.conf alike or are |there reasons to use squid's ACL instead? Performance? Being |ultra-paranoid and implementing both (or even additionally the |hosts-file-block?)? From my understanding squid should not be able to |block https-traffic as it is encrypted - or am I wrong here? | |Curious if there is a particular (Open)BSD solution or simply how you |'guys and gals' would do it. = I put privoxy between the browser and squid on my home network. The privoxy mailing list has discussion about blocking facebook. Additionally, if you're running firefox, look to see if the ghostery plug-in would work for you.
Re: Blocking facebook.com: PF or squid?
i'd imagine that putting 'www.facebook.com' in your hosts file will do it, unless the browser ignores /etc/hosts you could always use the url filtering mechanism of relayd combined with pf redirects, but if people really want to bypass it, they'll do proxyies (via ssh even) or remote desktop or vpn or... why does your personal dislike of Facebook have to affect other network users? Stefan Wollny [stefan.wol...@web.de] wrote: Hi there, having a personal dislike of Facebook (and the MeeToo-systems alike) for their impertinent sniffing for private data I tried on my laptop to block facebook.com via hosts-file. Interestingly this failed: Calling http://www.facebook.com; always resulted in a lookup for httpS://www.facebook.com and the respective site showed up in the browser (tried firefox and xombrero). Well: Beside excepting the fact that those facebook engineers did a fine job circumventing the entrys in /etc/hosts I felt immediatly insecure: The reports on this company's attitude towards even non-customers privacy are legendary. Their respective track record earns them the honorable title of NSA's fittest supporter... Anyway: I think I finally managed to block all their IPs via PF and on this laptop I now feel a little less 'observed'. [Yes, I know - this is just today's snapshot of IPs!] My question is on the squid-server I have running at home: What would make more sense - blocking facebook.com via pf.conf alike or are there reasons to use squid's ACL instead? Performance? Being ultra-paranoid and implementing both (or even additionally the hosts-file-block?)? From my understanding squid should not be able to block https-traffic as it is encrypted - or am I wrong here? Curious if there is a particular (Open)BSD solution or simply how you 'guys and gals' would do it. Thank you for sharing your thoughts. Cheers, STEFAN -- It was the Nicolatians who first coined the separation between lay and clergy.
