From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-160563-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 39F5E1389E2
	for <garchives@archives.gentoo.org>; Tue, 16 Dec 2014 10:53:54 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id BD5F9E095F;
	Tue, 16 Dec 2014 10:53:48 +0000 (UTC)
Received: from uberouter3.guranga.net (unknown [81.19.48.176])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id B0776E093B
	for <gentoo-user@lists.gentoo.org>; Tue, 16 Dec 2014 10:53:47 +0000 (UTC)
Received: from [192.168.151.10] (unknown [88.210.154.231])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by uberouter3.guranga.net (Postfix) with ESMTPSA id 613DA29C4
	for <gentoo-user@lists.gentoo.org>; Tue, 16 Dec 2014 10:52:33 +0000 (GMT)
Message-ID: <54900F2A.1090802@thegeezer.net>
Date: Tue, 16 Dec 2014 10:53:30 +0000
From: thegeezer <thegeezer@thegeezer.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Something firewall-ish
References: <20141215164700.GA4450@solfire> <548F4711.3030603@gmail.com>
In-Reply-To: <548F4711.3030603@gmail.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 0c0d2a92-62da-4795-b5e8-df7ce90270c6
X-Archives-Hash: 719e88189b5bbd18650be31e7fd71f2a

On 15/12/14 20:39, Alan McKinnon wrote:
> On 15/12/2014 18:47, meino.cramer@gmx.de wrote:
>> Hi,
>>
>> this question is not related to a fully fledged,
>> big local area network with DMZs and such.
>>
>> Even the word "firewall" seems to be a little too
>> "huge and mighty" in this context to me.
>>
>> "The network" consists of a PC, which is connected
>> to a FritzBox (cable, no Wifi/WLAN), which connects
>> to the ISP (internet) and (same adress range) to a
>> embedded system (eth1)
>>
>> There are two additional embedded systems, both on
>> a separate interface (eth over usb: usb0 & usb1).
>>
>> I want to block (DROP or REJECT) the access to certain
>> sites (the "noise" which is produced mostly by sites,
>> which all exclusively "only want my best": ads, trackers, analysts
>> and so on...)
>>
>> I tried different tools: fwbuilder, which locks up either itsself
>> or my rulesset...I had to reboot and Shorewall, which definitely
>> is a great tool....a little too great tool and much more capable
>> as I am... ;)
>>
>> I am sure that the problems are mostly not the problems of the
>> tools but mine.
>>
>> Is there any simple straight forward tool to just block accesses
>> to certain sites?
>
>
> to do it network-wide: squid

+1
and not in transparent mode either -- if you have a proxy server set
then https traffic is filtered by domain name as it is part of the proxy
connection request.
squid + squidGuard / dansguardian   is the way forward.
for examle, in my "advertisers/tracking" database there are some 12
thousand domains listed.   good luck adding those individually to iptables.

the only other way to do things super paranoidly is by whitelisting
i.e. on the router just keep adding ip and port to whitelist table for
those you _want_
iptables -N whitelist
iptables -A whitelist -d 8.8.8.8 -m udp --dport 53 -j ACCEPT

iptables -A FORWARD -i LAN -o WAN -j whitelist
iptables -A FORWARD -J REJECT

this takes longer to "start" but is easier to maintain, as facebook for
example are constantly buying ip ranges and adding them to their global
domination, so you start by thinking you have blocked all 100 facebook
ip addresses and then a month or two later discover they have another
200 you need to block
>
> to do it on a per-pc per-browser basis: there's a large variety of
> firefox plugins to chose from that will block this and allow that. It
> seems to me this is the better approach as you want to stop your browser
> chatting with sites who only have your best interest at heart :-)
>
>
> Either way, the list of black and white lists gets very big very quick,
> so chose your tool carefully. Try a bunch and pick one that makes sense
> to you, bonus points if it comes with a community-supported blacklist
> you can drop in, maintained by people whose POV matches your own.
>
> You don't want a classic firewall for this; firewalls are mostly built
> to block based on address and port, this is not how you solve your problem
>