blocking spotify with pf
David Andrzejewski
david at davidandrzejewski.com
Fri Aug 19 12:38:47 UTC 2011
Agreed, you probably want to look into blocking all by default, opening up
what you want to allow (even if it is just about everything else), forcing
all web traffic through a transparent proxy. Consider squid with squidguard
and a good set of blacklists. The blacklists are usually categorized, and
with squidguard, you can choose which categories to block and which to
allow. As an example, a pf rule that would force port 80 traffic through
transparent squid running on port 3128 is:
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port
3128
- Dave
On Fri, Aug 19, 2011 at 6:33 AM, Greg Hennessy <Greg.Hennessy at nviz.net>wrote:
> > Recently it has come to our attention that bandwidth has become an issue
> > with increased spotify usage throughout the company. Im looking for a way
> > to block access to it in pf. the rule that i am trying is the following:
> >
> > table <spotify> { 78.31.8.0/22, 193.182.8.0/21 }
> > block return in quick on $int_if proto tcp from 192.168.1.0/24 to
> <spotify>
> > port 4070
> >
> > For whatever reason it showing that the rule is working but not really
> > working. am i missing something?
> >
>
> Yes, stop trying to plug a leak in a colander by using a match stick.
>
> Block by default by starting the policy with
>
> Block log all
>
> And only allow routed egress to the specific sites and services which are
> directly related to a valid business requirement,
> Run all browser traffic through a proxy server to categorise and inspect
> the content, permitting internet access from the proxy to 80 and 443/tcp
> only.
>
>
> For a business that describes itself as 'advanced e-commerce' you guys
> should know this already, this is not rocket science.
>
> With an open door flapping in the breeze as suggested above. If I was to
> speculate, I would suggest that Spotify is the least problem you should
> worry about right now.
>
>
>
>
>
>
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
>
--
David Andrzejewski
http://davidandrzejewski.me
http://www.davidandrzejewski.com
More information about the freebsd-pf
mailing list