From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id D70B21382BB for ; Fri, 4 Jan 2013 20:19:41 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2B7E621C0F0; Fri, 4 Jan 2013 20:19:23 +0000 (UTC) Received: from ironport2-out.teksavvy.com (ironport2-out.teksavvy.com [206.248.154.182]) by pigeon.gentoo.org (Postfix) with ESMTP id 7540A21C0DA for ; Fri, 4 Jan 2013 20:17:21 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Aq8NAG6Zu09FxKsZ/2dsb2JhbABEgXuwewOBGIEIghUBAQU6HDMLGAkTEg8FJTeIDgu5fosIWoFEgjxiA4hChHyCGYVDhV+IOoFYgwc X-IronPort-AV: E=Sophos;i="4.75,637,1330923600"; d="scan'208";a="211417974" Received: from 69-196-171-25.dsl.teksavvy.com (HELO waltdnes.org) ([69.196.171.25]) by ironport2-out.teksavvy.com with SMTP; 04 Jan 2013 15:17:19 -0500 Received: by waltdnes.org (sSMTP sendmail emulation); Fri, 04 Jan 2013 15:17:02 -0500 From: "Walter Dnes" Date: Fri, 4 Jan 2013 15:17:02 -0500 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] IPTABLES syntax change? Message-ID: <20130104201702.GA16813@waltdnes.org> References: <20121227004732.GB5854@waltdnes.org> <50DBA7D0.4060800@orlitzky.com> <87zk0zivjk.fsf@einstein.gmurray.org.uk> <20121227231150.GA9864@waltdnes.org> <50DCDEAF.9020002@orlitzky.com> <20121228035937.GA2949@waltdnes.org> <50DD370F.4070509@orlitzky.com> <20121231032150.GA2032@waltdnes.org> <50E509FA.3060204@orlitzky.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <50E509FA.3060204@orlitzky.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: 61b57b45-57c5-4451-a9b1-d8bc4928401e X-Archives-Hash: a83c84a5e3694a41ae9026e1eeafe357 On Wed, Jan 02, 2013 at 11:32:58PM -0500, Michael Orlitzky wrote > On 12/30/2012 10:21 PM, Walter Dnes wrote: > > [0:0] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6 > > [0:0] -A FECESBOOK -j DROP > > [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT > > [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT > > [0:0] -A INPUT -i lo -j ACCEPT > > [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED > > In fact, since you're blocking all outgoing packets to facebook, the > only state that a packet from facebook can have here is INVALID or NEW. > So traffic from facebook will be sent to the UNSOLICITED chain and DROPped. > > > > [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK > > [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK > > [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK > > [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK > > [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK > > [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK > > ...making these pointless =) I've run into at least one newspaper website (I forget which, it's occasionally used for links on Slashdot) which ends up trying to redirect me to a Facebook site even though the URL does not mention Facebook at all. There is other integration as well. See the first post in http://www.dslreports.com/forum/r26618459-Increasing-integration-of-facebook-into-many-web-sites I believe this may have been straightened out since then, but 13 months ago that post was correct. And then there's the "LIKE" button which shows up all over the web. The mere fact that you haven't manually typed in... http://www.facebook.com/blah_blah_blah does not mean you're not connecting to it. -- Walter Dnes I don't run "desktop environments"; I run useful applications