* [gentoo-user] Something firewall-ish
@ 2014-12-15 16:47 meino.cramer
2014-12-15 17:20 ` Emanuele Rusconi
2014-12-15 20:39 ` Alan McKinnon
0 siblings, 2 replies; 13+ messages in thread
From: meino.cramer @ 2014-12-15 16:47 UTC (permalink / raw
To: Gentoo
Hi,
this question is not related to a fully fledged,
big local area network with DMZs and such.
Even the word "firewall" seems to be a little too
"huge and mighty" in this context to me.
"The network" consists of a PC, which is connected
to a FritzBox (cable, no Wifi/WLAN), which connects
to the ISP (internet) and (same adress range) to a
embedded system (eth1)
There are two additional embedded systems, both on
a separate interface (eth over usb: usb0 & usb1).
I want to block (DROP or REJECT) the access to certain
sites (the "noise" which is produced mostly by sites,
which all exclusively "only want my best": ads, trackers, analysts
and so on...)
I tried different tools: fwbuilder, which locks up either itsself
or my rulesset...I had to reboot and Shorewall, which definitely
is a great tool....a little too great tool and much more capable
as I am... ;)
I am sure that the problems are mostly not the problems of the
tools but mine.
Is there any simple straight forward tool to just block accesses
to certain sites?
Best regards,
Meino
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] Something firewall-ish
2014-12-15 16:47 [gentoo-user] Something firewall-ish meino.cramer
@ 2014-12-15 17:20 ` Emanuele Rusconi
2014-12-15 18:14 ` meino.cramer
2014-12-15 20:39 ` Alan McKinnon
1 sibling, 1 reply; 13+ messages in thread
From: Emanuele Rusconi @ 2014-12-15 17:20 UTC (permalink / raw
To: gentoo-user
On 15 December 2014 at 17:47, <meino.cramer@gmx.de> wrote:
>
> Is there any simple straight forward tool to just block accesses
> to certain sites?
>
Hi, I'm absolutely a noob or even less about this subject, but lately I
stumbled into a thread on the forum that might be interesting to you:
https://forums.gentoo.org/viewtopic-t-999422-highlight-.html
--
Emanuele
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] Something firewall-ish
2014-12-15 17:20 ` Emanuele Rusconi
@ 2014-12-15 18:14 ` meino.cramer
2014-12-16 5:09 ` Walter Dnes
0 siblings, 1 reply; 13+ messages in thread
From: meino.cramer @ 2014-12-15 18:14 UTC (permalink / raw
To: gentoo-user
Emanuele Rusconi <emarsk@gmail.com> [14-12-15 18:24]:
> On 15 December 2014 at 17:47, <meino.cramer@gmx.de> wrote:
> >
> > Is there any simple straight forward tool to just block accesses
> > to certain sites?
> >
>
> Hi, I'm absolutely a noob or even less about this subject, but lately I
> stumbled into a thread on the forum that might be interesting to you:
>
> https://forums.gentoo.org/viewtopic-t-999422-highlight-.html
>
> --
> Emanuele
>
Hi Emanuele,
interesting stuff...thank you!
But it does not work as exspected: With wireshark
I still see the crypted traffic for example to
secure.informaction com and s3-1.amazonaws.com
by starting firefox and doing nothing more (homepage
is a blank page...).
So I need bigger weapons...
Any other idea?
Best regards,
Meino
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] Something firewall-ish
2014-12-15 16:47 [gentoo-user] Something firewall-ish meino.cramer
2014-12-15 17:20 ` Emanuele Rusconi
@ 2014-12-15 20:39 ` Alan McKinnon
2014-12-16 4:02 ` meino.cramer
2014-12-16 10:53 ` thegeezer
1 sibling, 2 replies; 13+ messages in thread
From: Alan McKinnon @ 2014-12-15 20:39 UTC (permalink / raw
To: gentoo-user
On 15/12/2014 18:47, meino.cramer@gmx.de wrote:
> Hi,
>
> this question is not related to a fully fledged,
> big local area network with DMZs and such.
>
> Even the word "firewall" seems to be a little too
> "huge and mighty" in this context to me.
>
> "The network" consists of a PC, which is connected
> to a FritzBox (cable, no Wifi/WLAN), which connects
> to the ISP (internet) and (same adress range) to a
> embedded system (eth1)
>
> There are two additional embedded systems, both on
> a separate interface (eth over usb: usb0 & usb1).
>
> I want to block (DROP or REJECT) the access to certain
> sites (the "noise" which is produced mostly by sites,
> which all exclusively "only want my best": ads, trackers, analysts
> and so on...)
>
> I tried different tools: fwbuilder, which locks up either itsself
> or my rulesset...I had to reboot and Shorewall, which definitely
> is a great tool....a little too great tool and much more capable
> as I am... ;)
>
> I am sure that the problems are mostly not the problems of the
> tools but mine.
>
> Is there any simple straight forward tool to just block accesses
> to certain sites?
to do it network-wide: squid
to do it on a per-pc per-browser basis: there's a large variety of
firefox plugins to chose from that will block this and allow that. It
seems to me this is the better approach as you want to stop your browser
chatting with sites who only have your best interest at heart :-)
Either way, the list of black and white lists gets very big very quick,
so chose your tool carefully. Try a bunch and pick one that makes sense
to you, bonus points if it comes with a community-supported blacklist
you can drop in, maintained by people whose POV matches your own.
You don't want a classic firewall for this; firewalls are mostly built
to block based on address and port, this is not how you solve your problem
--
Alan McKinnon
alan.mckinnon@gmail.com
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] Something firewall-ish
2014-12-15 20:39 ` Alan McKinnon
@ 2014-12-16 4:02 ` meino.cramer
2014-12-16 4:24 ` [gentoo-user] " »Q«
2014-12-16 7:07 ` [gentoo-user] " Alan McKinnon
2014-12-16 10:53 ` thegeezer
1 sibling, 2 replies; 13+ messages in thread
From: meino.cramer @ 2014-12-16 4:02 UTC (permalink / raw
To: gentoo-user
Alan McKinnon <alan.mckinnon@gmail.com> [14-12-16 03:43]:
> On 15/12/2014 18:47, meino.cramer@gmx.de wrote:
> > Hi,
> >
> > this question is not related to a fully fledged,
> > big local area network with DMZs and such.
> >
> > Even the word "firewall" seems to be a little too
> > "huge and mighty" in this context to me.
> >
> > "The network" consists of a PC, which is connected
> > to a FritzBox (cable, no Wifi/WLAN), which connects
> > to the ISP (internet) and (same adress range) to a
> > embedded system (eth1)
> >
> > There are two additional embedded systems, both on
> > a separate interface (eth over usb: usb0 & usb1).
> >
> > I want to block (DROP or REJECT) the access to certain
> > sites (the "noise" which is produced mostly by sites,
> > which all exclusively "only want my best": ads, trackers, analysts
> > and so on...)
> >
> > I tried different tools: fwbuilder, which locks up either itsself
> > or my rulesset...I had to reboot and Shorewall, which definitely
> > is a great tool....a little too great tool and much more capable
> > as I am... ;)
> >
> > I am sure that the problems are mostly not the problems of the
> > tools but mine.
> >
> > Is there any simple straight forward tool to just block accesses
> > to certain sites?
>
>
>
> to do it network-wide: squid
>
> to do it on a per-pc per-browser basis: there's a large variety of
> firefox plugins to chose from that will block this and allow that. It
> seems to me this is the better approach as you want to stop your browser
> chatting with sites who only have your best interest at heart :-)
>
>
> Either way, the list of black and white lists gets very big very quick,
> so chose your tool carefully. Try a bunch and pick one that makes sense
> to you, bonus points if it comes with a community-supported blacklist
> you can drop in, maintained by people whose POV matches your own.
>
> You don't want a classic firewall for this; firewalls are mostly built
> to block based on address and port, this is not how you solve your problem
>
> --
> Alan McKinnon
> alan.mckinnon@gmail.com
>
Hi Alan,
thanks for reply! :)
actually the thing is: There is a plugin called "NoScript" which
constantly accesses secure.informaction.com, which is the author
of this plugin.
I tried a lot to block that access from inside firefox but did
not find a way to do so (read: _I_ did not find... ;)
If you know a plugin for firefox which is able to block accesses
from all other plugins to certain sites of the internet I would
be happy to check that out.
I tried to block the accesses via iptable rules which DROP/REJECT
the name and the IP-address of that site...no chance.
The IP has not changed of that site...
Wireshark still reports traffic to and from that site and following
the TCP stream with wireshark shows, that the traffic has encrypted
contents.
The other access, which origin I haven't located exactly yet (its
origin is in firefox (a plugin I think), is to
s3-1.amazonaws.com.
I also want to block this.
Please what is the plugin of the large variety of plugins, which is
able to block access of all other plugins to customer defined sites?
Thank you very much in advance for any help.
Best regards,
Meino
^ permalink raw reply [flat|nested] 13+ messages in thread
* [gentoo-user] Re: Something firewall-ish
2014-12-16 4:02 ` meino.cramer
@ 2014-12-16 4:24 ` »Q«
2014-12-16 4:46 ` meino.cramer
2014-12-16 7:07 ` [gentoo-user] " Alan McKinnon
1 sibling, 1 reply; 13+ messages in thread
From: »Q« @ 2014-12-16 4:24 UTC (permalink / raw
To: gentoo-user
On Tue, 16 Dec 2014 05:02:40 +0100
meino.cramer@gmx.de wrote:
> actually the thing is: There is a plugin called "NoScript" which
> constantly accesses secure.informaction.com, which is the author
> of this plugin.
> I tried a lot to block that access from inside firefox but did
> not find a way to do so (read: _I_ did not find... ;)
<http://hackademix.net/2010/07/28/abe-patrols-the-routes-to-your-routers/>
explains the connection and how to disable it in NoScript's options.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] Re: Something firewall-ish
2014-12-16 4:24 ` [gentoo-user] " »Q«
@ 2014-12-16 4:46 ` meino.cramer
2014-12-16 5:03 ` »Q«
2014-12-16 6:51 ` J. Roeleveld
0 siblings, 2 replies; 13+ messages in thread
From: meino.cramer @ 2014-12-16 4:46 UTC (permalink / raw
To: gentoo-user
»Q« <boxcars@gmx.net> [14-12-16 05:28]:
> On Tue, 16 Dec 2014 05:02:40 +0100
> meino.cramer@gmx.de wrote:
>
> > actually the thing is: There is a plugin called "NoScript" which
> > constantly accesses secure.informaction.com, which is the author
> > of this plugin.
> > I tried a lot to block that access from inside firefox but did
> > not find a way to do so (read: _I_ did not find... ;)
>
> <http://hackademix.net/2010/07/28/abe-patrols-the-routes-to-your-routers/>
> explains the connection and how to disable it in NoScript's options.
>
>
Hi Q,
very interesting page...thank you!
Its the stuff I like ;)
What is the difference between NoScript saying "the access to
secure.informaction.com is completly anonymous" and
anyone else stating this?
Since the access is encrypted I cannot check its contents.
And how is it possible to send back an answer, if my
IP-address isn't offered (that is: "completly anonymous")?
Do you know anything about the other address and its origin:
s3-1.amazonaws.com
? It has something to do with a cloud service of Amazon...
But what could be the origin of this one ... ?
Best regards,
Meino
^ permalink raw reply [flat|nested] 13+ messages in thread
* [gentoo-user] Re: Something firewall-ish
2014-12-16 4:46 ` meino.cramer
@ 2014-12-16 5:03 ` »Q«
2014-12-16 6:51 ` J. Roeleveld
1 sibling, 0 replies; 13+ messages in thread
From: »Q« @ 2014-12-16 5:03 UTC (permalink / raw
To: gentoo-user
On Tue, 16 Dec 2014 05:46:17 +0100
meino.cramer@gmx.de wrote:
> »Q« <boxcars@gmx.net> [14-12-16 05:28]:
> > On Tue, 16 Dec 2014 05:02:40 +0100
> > meino.cramer@gmx.de wrote:
> >
> > > actually the thing is: There is a plugin called "NoScript" which
> > > constantly accesses secure.informaction.com, which is the author
> > > of this plugin.
> > > I tried a lot to block that access from inside firefox but did
> > > not find a way to do so (read: _I_ did not find... ;)
> >
> > <http://hackademix.net/2010/07/28/abe-patrols-the-routes-to-your-routers/>
> > explains the connection and how to disable it in NoScript's options.
> >
> >
>
> Hi Q,
>
> very interesting page...thank you!
> Its the stuff I like ;)
>
> What is the difference between NoScript saying "the access to
> secure.informaction.com is completly anonymous" and
> anyone else stating this?
> Since the access is encrypted I cannot check its contents.
> And how is it possible to send back an answer, if my
> IP-address isn't offered (that is: "completly anonymous")?
I'm sorry, I don't know. I don't use NoScript -- I just remembered
reading that the NoScript author had blogged about that connection so
was able to google the page.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] Something firewall-ish
2014-12-15 18:14 ` meino.cramer
@ 2014-12-16 5:09 ` Walter Dnes
0 siblings, 0 replies; 13+ messages in thread
From: Walter Dnes @ 2014-12-16 5:09 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 2046 bytes --]
On Mon, Dec 15, 2014 at 07:14:26PM +0100, meino.cramer@gmx.de wrote
> But it does not work as exspected: With wireshark I still see
> the crypted traffic for example to secure.informaction com and
> s3-1.amazonaws.com by starting firefox and doing nothing more
> (homepage is a blank page...).
>
> So I need bigger weapons...
First, get the IP addresses...
[d531][waltdnes][~] nslookup s3-1.amazonaws.com
Server: 208.67.222.222
Address: 208.67.222.222#53
Non-authoritative answer:
Name: s3-1.amazonaws.com
Address: 54.231.1.0
[d531][waltdnes][~] nslookup secure.informaction.com
Server: 208.67.222.222
Address: 208.67.222.222#53
Non-authoritative answer:
Name: secure.informaction.com
Address: 82.103.140.40
Name: secure.informaction.com
Address: 82.103.140.42
Name: secure.informaction.com
Address: 69.195.141.179
Name: secure.informaction.com
Address: 69.195.141.178
With that info in hand, add the following at the top of your iptables
"OUTPUT" chain...
-A OUTPUT -d 69.195.141.178/31 -j DROP
-A OUTPUT -d 82.103.140.40/30 -j DROP
-A OUTPUT -d 54.231.1.0/32 - j DROP
The first one drops 69.195.141.178 and 69.195.141.179. The second one
drops 82.103.140.40, 82.103.140.41, 82.103.140.42, and 82.103.140.43.
The third one drops 54.231.1.0.
The Amazon cloud service covers 54.230.0.0/15. If s3-1.amazonaws.com
is "dynamic", you may have to block that entire range.
For those of you who are interested, I'm attaching a copy of my
/var/lib/iptables/rules-save which is tweaked for my LAN. Note the
following...
* this is a paranoid ruleset for general client end-users only. It will
*NOT* work for a server
* the 192.168.x.y addresses are for my internal LAN
* the 169.254.0.0/16 range is for my HDHomerun OTA TV tuner
* "the "FECESBOOK" rules block Facebook, coming and going. Firefox
spins its wheels for several seconds "Connecting to facebook.com",
before giving up.
--
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications
[-- Attachment #2: rules-save.gz --]
[-- Type: application/octet-stream, Size: 974 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] Re: Something firewall-ish
2014-12-16 4:46 ` meino.cramer
2014-12-16 5:03 ` »Q«
@ 2014-12-16 6:51 ` J. Roeleveld
1 sibling, 0 replies; 13+ messages in thread
From: J. Roeleveld @ 2014-12-16 6:51 UTC (permalink / raw
To: gentoo-user
On Tuesday, December 16, 2014 05:46:17 AM meino.cramer@gmx.de wrote:
> »Q« <boxcars@gmx.net> [14-12-16 05:28]:
> > On Tue, 16 Dec 2014 05:02:40 +0100
> >
> > meino.cramer@gmx.de wrote:
> > > actually the thing is: There is a plugin called "NoScript" which
> > > constantly accesses secure.informaction.com, which is the author
> > > of this plugin.
> > > I tried a lot to block that access from inside firefox but did
> > > not find a way to do so (read: _I_ did not find... ;)
> >
> > <http://hackademix.net/2010/07/28/abe-patrols-the-routes-to-your-routers/>
> > explains the connection and how to disable it in NoScript's options.
>
> Hi Q,
>
> very interesting page...thank you!
> Its the stuff I like ;)
>
> What is the difference between NoScript saying "the access to
> secure.informaction.com is completly anonymous" and
> anyone else stating this?
> Since the access is encrypted I cannot check its contents.
> And how is it possible to send back an answer, if my
> IP-address isn't offered (that is: "completly anonymous")?
For any connection between 2 computers, both will always know the IP address
of the other. (when using TCP/IP)
All that site does, according to the blogpost, is reply with "your IP is: xx"
There are other sites that offer a similar service and it's commonly used when
you need to know the external IP. (Dyndns-scripts use it as well)
> Do you know anything about the other address and its origin:
> s3-1.amazonaws.com
>
> ? It has something to do with a cloud service of Amazon...
> But what could be the origin of this one ... ?
Any plugin you have installed.
I've got that blocked in my firewall due to a large amount of SSH accesses in
my logs.
--
Joost
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] Something firewall-ish
2014-12-16 4:02 ` meino.cramer
2014-12-16 4:24 ` [gentoo-user] " »Q«
@ 2014-12-16 7:07 ` Alan McKinnon
1 sibling, 0 replies; 13+ messages in thread
From: Alan McKinnon @ 2014-12-16 7:07 UTC (permalink / raw
To: gentoo-user
On 16/12/2014 06:02, meino.cramer@gmx.de wrote:
>
>
> Alan McKinnon <alan.mckinnon@gmail.com> [14-12-16 03:43]:
>> On 15/12/2014 18:47, meino.cramer@gmx.de wrote:
>>> Hi,
>>>
>>> this question is not related to a fully fledged,
>>> big local area network with DMZs and such.
>>>
>>> Even the word "firewall" seems to be a little too
>>> "huge and mighty" in this context to me.
>>>
>>> "The network" consists of a PC, which is connected
>>> to a FritzBox (cable, no Wifi/WLAN), which connects
>>> to the ISP (internet) and (same adress range) to a
>>> embedded system (eth1)
>>>
>>> There are two additional embedded systems, both on
>>> a separate interface (eth over usb: usb0 & usb1).
>>>
>>> I want to block (DROP or REJECT) the access to certain
>>> sites (the "noise" which is produced mostly by sites,
>>> which all exclusively "only want my best": ads, trackers, analysts
>>> and so on...)
>>>
>>> I tried different tools: fwbuilder, which locks up either itsself
>>> or my rulesset...I had to reboot and Shorewall, which definitely
>>> is a great tool....a little too great tool and much more capable
>>> as I am... ;)
>>>
>>> I am sure that the problems are mostly not the problems of the
>>> tools but mine.
>>>
>>> Is there any simple straight forward tool to just block accesses
>>> to certain sites?
>>
>>
>>
>> to do it network-wide: squid
>>
>> to do it on a per-pc per-browser basis: there's a large variety of
>> firefox plugins to chose from that will block this and allow that. It
>> seems to me this is the better approach as you want to stop your browser
>> chatting with sites who only have your best interest at heart :-)
>>
>>
>> Either way, the list of black and white lists gets very big very quick,
>> so chose your tool carefully. Try a bunch and pick one that makes sense
>> to you, bonus points if it comes with a community-supported blacklist
>> you can drop in, maintained by people whose POV matches your own.
>>
>> You don't want a classic firewall for this; firewalls are mostly built
>> to block based on address and port, this is not how you solve your problem
>>
>> --
>> Alan McKinnon
>> alan.mckinnon@gmail.com
>>
>
> Hi Alan,
>
> thanks for reply! :)
>
> actually the thing is: There is a plugin called "NoScript" which
> constantly accesses secure.informaction.com, which is the author
> of this plugin.
> I tried a lot to block that access from inside firefox but did
> not find a way to do so (read: _I_ did not find... ;)
>
> If you know a plugin for firefox which is able to block accesses
> from all other plugins to certain sites of the internet I would
> be happy to check that out.
I don't know of a plugin that specifically does that; I do know that
there are Firefox plugins for just about anything you could imagine,
that's why I made the suggestion
>
> I tried to block the accesses via iptable rules which DROP/REJECT
> the name and the IP-address of that site...no chance.
>
> The IP has not changed of that site...
>
> Wireshark still reports traffic to and from that site and following
> the TCP stream with wireshark shows, that the traffic has encrypted
> contents.
That indicates something wrong with your iptables rules.
iptables works at the lowest level of the network stack (very little if
anything can bypass it) and wireshark works by reading the network
interface directly in promiscuous mode. The traffic you see probably
doesn't have a iptables rule to catch it. There are 4 addresses for that
domain name, did you incluce them all in the rule?
# dig secure.informaction.com +short
82.103.140.42
82.103.140.40
69.195.141.179
69.195.141.178
>
> The other access, which origin I haven't located exactly yet (its
> origin is in firefox (a plugin I think), is to
> s3-1.amazonaws.com.
> I also want to block this.
>
> Please what is the plugin of the large variety of plugins, which is
> able to block access of all other plugins to customer defined sites?
As I said above, I don't track plugins too closely, so I don't know.
But someone else on this list will, lots of knowledgeable people around
here :-)
--
Alan McKinnon
alan.mckinnon@gmail.com
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] Something firewall-ish
2014-12-15 20:39 ` Alan McKinnon
2014-12-16 4:02 ` meino.cramer
@ 2014-12-16 10:53 ` thegeezer
2014-12-16 14:31 ` Pandu Poluan
1 sibling, 1 reply; 13+ messages in thread
From: thegeezer @ 2014-12-16 10:53 UTC (permalink / raw
To: gentoo-user
On 15/12/14 20:39, Alan McKinnon wrote:
> On 15/12/2014 18:47, meino.cramer@gmx.de wrote:
>> Hi,
>>
>> this question is not related to a fully fledged,
>> big local area network with DMZs and such.
>>
>> Even the word "firewall" seems to be a little too
>> "huge and mighty" in this context to me.
>>
>> "The network" consists of a PC, which is connected
>> to a FritzBox (cable, no Wifi/WLAN), which connects
>> to the ISP (internet) and (same adress range) to a
>> embedded system (eth1)
>>
>> There are two additional embedded systems, both on
>> a separate interface (eth over usb: usb0 & usb1).
>>
>> I want to block (DROP or REJECT) the access to certain
>> sites (the "noise" which is produced mostly by sites,
>> which all exclusively "only want my best": ads, trackers, analysts
>> and so on...)
>>
>> I tried different tools: fwbuilder, which locks up either itsself
>> or my rulesset...I had to reboot and Shorewall, which definitely
>> is a great tool....a little too great tool and much more capable
>> as I am... ;)
>>
>> I am sure that the problems are mostly not the problems of the
>> tools but mine.
>>
>> Is there any simple straight forward tool to just block accesses
>> to certain sites?
>
>
> to do it network-wide: squid
+1
and not in transparent mode either -- if you have a proxy server set
then https traffic is filtered by domain name as it is part of the proxy
connection request.
squid + squidGuard / dansguardian is the way forward.
for examle, in my "advertisers/tracking" database there are some 12
thousand domains listed. good luck adding those individually to iptables.
the only other way to do things super paranoidly is by whitelisting
i.e. on the router just keep adding ip and port to whitelist table for
those you _want_
iptables -N whitelist
iptables -A whitelist -d 8.8.8.8 -m udp --dport 53 -j ACCEPT
iptables -A FORWARD -i LAN -o WAN -j whitelist
iptables -A FORWARD -J REJECT
this takes longer to "start" but is easier to maintain, as facebook for
example are constantly buying ip ranges and adding them to their global
domination, so you start by thinking you have blocked all 100 facebook
ip addresses and then a month or two later discover they have another
200 you need to block
>
> to do it on a per-pc per-browser basis: there's a large variety of
> firefox plugins to chose from that will block this and allow that. It
> seems to me this is the better approach as you want to stop your browser
> chatting with sites who only have your best interest at heart :-)
>
>
> Either way, the list of black and white lists gets very big very quick,
> so chose your tool carefully. Try a bunch and pick one that makes sense
> to you, bonus points if it comes with a community-supported blacklist
> you can drop in, maintained by people whose POV matches your own.
>
> You don't want a classic firewall for this; firewalls are mostly built
> to block based on address and port, this is not how you solve your problem
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [gentoo-user] Something firewall-ish
2014-12-16 10:53 ` thegeezer
@ 2014-12-16 14:31 ` Pandu Poluan
0 siblings, 0 replies; 13+ messages in thread
From: Pandu Poluan @ 2014-12-16 14:31 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 3270 bytes --]
On 17:54, Tue, Dec 16, 2014 thegeezer <thegeezer@thegeezer.net> wrote:
On 15/12/14 20:39, Alan McKinnon wrote:
> On 15/12/2014 18:47, meino.cramer@gmx.de wrote:
>> Hi,
>>
>> this question is not related to a fully fledged,
>> big local area network with DMZs and such.
>>
>> Even the word "firewall" seems to be a little too
>> "huge and mighty" in this context to me.
>>
>> "The network" consists of a PC, which is connected
>> to a FritzBox (cable, no Wifi/WLAN), which connects
>> to the ISP (internet) and (same adress range) to a
>> embedded system (eth1)
>>
>> There are two additional embedded systems, both on
>> a separate interface (eth over usb: usb0 & usb1).
>>
>> I want to block (DROP or REJECT) the access to certain
>> sites (the "noise" which is produced mostly by sites,
>> which all exclusively "only want my best": ads, trackers, analysts
>> and so on...)
>>
>> I tried different tools: fwbuilder, which locks up either itsself
>> or my rulesset...I had to reboot and Shorewall, which definitely
>> is a great tool....a little too great tool and much more capable
>> as I am... ;)
>>
>> I am sure that the problems are mostly not the problems of the
>> tools but mine.
>>
>> Is there any simple straight forward tool to just block accesses
>> to certain sites?
>
>
> to do it network-wide: squid
+1
and not in transparent mode either -- if you have a proxy server set
then https traffic is filtered by domain name as it is part of the proxy
connection request.
squid + squidGuard / dansguardian is the way forward.
for examle, in my "advertisers/tracking" database there are some 12
thousand domains listed. good luck adding those individually to iptables.
the only other way to do things super paranoidly is by whitelisting
i.e. on the router just keep adding ip and port to whitelist table for
those you _want_
iptables -N whitelist
iptables -A whitelist -d 8.8.8.8 -m udp --dport 53 -j ACCEPT
iptables -A FORWARD -i LAN -o WAN -j whitelist
iptables -A FORWARD -J REJECT
this takes longer to "start" but is easier to maintain, as facebook for
example are constantly buying ip ranges and adding them to their global
domination, so you start by thinking you have blocked all 100 facebook
ip addresses and then a month or two later discover they have another
200 you need to block
>
> to do it on a per-pc per-browser basis: there's a large variety of
> firefox plugins to chose from that will block this and allow that. It
> seems to me this is the better approach as you want to stop your browser
> chatting with sites who only have your best interest at heart :-)
>
>
> Either way, the list of black and white lists gets very big very quick,
> so chose your tool carefully. Try a bunch and pick one that makes sense
> to you, bonus points if it comes with a community-supported blacklist
> you can drop in, maintained by people whose POV matches your own.
>
> You don't want a classic firewall for this; firewalls are mostly built
> to block based on address and port, this is not how you solve your problem
>
You can automate the process by using 'dig' and 'ipset'.
Create an ipset named "Fbook" of type hash:ip, then every 5 minutes run a
script that does a lookup for facebook.com and add the found IP to the
Fbook ipset.
Rgds,
--
[-- Attachment #2: Type: text/html, Size: 4330 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2014-12-16 14:32 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-12-15 16:47 [gentoo-user] Something firewall-ish meino.cramer
2014-12-15 17:20 ` Emanuele Rusconi
2014-12-15 18:14 ` meino.cramer
2014-12-16 5:09 ` Walter Dnes
2014-12-15 20:39 ` Alan McKinnon
2014-12-16 4:02 ` meino.cramer
2014-12-16 4:24 ` [gentoo-user] " »Q«
2014-12-16 4:46 ` meino.cramer
2014-12-16 5:03 ` »Q«
2014-12-16 6:51 ` J. Roeleveld
2014-12-16 7:07 ` [gentoo-user] " Alan McKinnon
2014-12-16 10:53 ` thegeezer
2014-12-16 14:31 ` Pandu Poluan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox