blocking facebook
Kevin Wilcox
kevin.wilcox at gmail.com
Mon May 2 15:40:13 UTC 2011
On Mon, May 2, 2011 at 10:41, Zhu Sha Zang <zhushazang at yahoo.com.br> wrote:
> I'm trying to block facebook access only using PF in FreeBSD 8.2.
>
> But putting the name or the ip returned with the command host
> www.facebook.com i can't deny any user to connect facebook.
>
> Some trick to do that?
>
> Thanks for now.
Short version: you can't block via domain in pf.
Long version: when pf starts, it reads its config file. If you have a
domain name listed, and you can't reach your DNS server because DHCP
or other networking scripts aren't loaded, it can't resolve the
domain. If it CAN resolve the domain, it will use the IP address it
received from a DNS lookup. For domains backed by a single IP, no
problem. For domains that span multiple IPs, and multiple networks,
that's a pretty big problem.
Additionally, pf does NOT do deep packet inspection. It's extremely
taxing and it's not what pf was designed to do.
If you want to block facebook I would suggest a multi-faceted approach
(though it's not foolproof, it just keeps MOST people from going
there).
1) Control DNS. You can have lookups for *.facebook.com (and
associated CDN addresses) go to whatever.
2) Control the browser - if you can blacklist *.facebook.com (and
associated CDN addresses) you can limit a lot of it.
3) Force your users through squid or another web proxy. This is
probably the best method as you can think block anything going to a
facebook.com address, or with certain strings in the URL, by
redirecting them to a page saying, "I'm sorry, that is not allowed on
this network." This scales remarkably well on commodity hardware up to
several thousand users assuming you aren't doing 10Gb.
Good luck.
kmw
More information about the freebsd-pf
mailing list