Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: compsos on November 02, 2010, 07:44:14 AM
-
Hi
We are trying the attached code to block all of the facebook.com pages. They have 9210 ipaddresses in their 3 block ranges
nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40FaceBook
iptables -A OUTPUT -d 66.220.149.0/20 -j DROP
iptables -A OUTPUT -d 69.63.176.0/20 -j DROP
iptables -A OUTPUT -d 204.15.20.0/22 -j DROP
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
svc -t /service/masq
Ip Ranges are (from what we have found)
66.220.144.0 to 66.220.159.255
204.15.20.0 to 204.15.23.255
69.63.176.0 to 69.63.191.255
Any feedback welcome.
-
compsos
Dansguardian will block facebook.com & a whole lot more
-
Thanks Mary
Yes I have used Dansguardian before but in this case seemed like cracking a nut with a very large hammer. The request was for "block Facebook".
-
svc -t /service/masq
That command should be
sv t /service/masq/
-
That command should be
sv t /service/masq/
No it shouldn't. There is no supervised masq service.
/etc/rc.d/init.d/masq restart
or
service masq restart
-
Any feedback welcome.
What are the reasons for the intended block?
Are you only concerned with originating traffic ie outgoing?
Might not your users try another proxy or TOR?
-
The reason for the block was a request from the business owner to reduce wasted time on the internet on non business activity. They have not been the 1st or I suspect the last to request restrictions. Dansguardian is good but there seems to be a lot of tweeking required to open or lock sites when and when the client finds them either blocked or open. The web is a big place.
Thank you Charlie for the command correction.
Piran
Just looking at the TOR project, it looks like it is detectable at either end. In which case it may be stoppable at the sever?
If your attacker can watch the traffic coming out of your computer, and also the traffic arriving at your chosen destination, he can use statistical analysis to discover that they are part of the same circuit.
-
That TOR 'analysis' sounds quite messy.
>>wasted time
Consider blocking inwards as opposed to outwards.
Might be easier to trap something in the router.
I'm not a FBer (ever) so no experience but does
any/all of their traffic show a user-agent signature?
If so, and reliably so, then a httpd.conf clause with
a custom error statement (business owner's words)
might do the trick overall.
-
Have the person explain to the people that Facebook has been known to have bad virus like stuff on it that could cause the business much loss and that is a risk the business is unwilling to take.
Then monitor the proxy log by another program.
Put passwords on as many logins as you can such as windows, sceensavers, browsers , Firefox's public fox, etc.
Many users are hooked to facebook. If that does not work then tell them their pay is going to be reduced. People understand money more than any thing else.
-
compsos
Dansguardian is good but there seems to be a lot of tweeking required to open or lock sites when and when the client finds them either blocked or open. The web is a big place.
I find it quite easy & quick to use. Most tweaks involve editing one file & restarting dansguardian which takes 2-3 minutes. More often it is a case of set up all the restricted sites and file types and forget about it. Initially there may be some fine tuning to suit the sites needs, but again once the fine tuning has been done it is set and forget.
If you only want to block access to one site ie facebook.com, that is very easily done with one entry and will block all facebook servers on different IPs.
-
Does it work ? I can not test it. Just from old memories:
iptables -I OUTPUT -d 66.220.149.0/20 -j DROP
iptables -I OUTPUT -d 69.63.176.0/20 -j DROP
iptables -I OUTPUT -d 204.15.20.0/22 -j DROP
iptables -I FORWARD -d 66.220.149.0/20 -j DROP
iptables -I FORWARD -d 69.63.176.0/20 -j DROP
iptables -I FORWARD -d 204.15.20.0/22 -j DROP
-
Hi Arne
So far no reports of any breaches. At the moment we only have the output chain defined.