[gentoo-user] blocking facebook

[gentoo-user] blocking facebook

[thelma]

Does anybody have an idea how to block facebook?

I'm using dd-wrt.  The "access restriction" can block http but not https
and I'm not good in iptables :-/
In addition users are using VirtualBox on the network as well.

-- 
Thelma

Re: [gentoo-user] blocking facebook

[Willie M]

[-- Attachment #1: Type: text/plain, Size: 500 bytes --]

If that is the only website you want to block use /etc/hosts. Point it
towards your own computer. "127.0.0.1  facebook.com".

On Fri, Dec 11, 2015, 7:04 PM  <thelma@sys-concept.com> wrote:

> Does anybody have an idea how to block facebook?
>
> I'm using dd-wrt.  The "access restriction" can block http but not https
> and I'm not good in iptables :-/
> In addition users are using VirtualBox on the network as well.
>
> --
> Thelma
>
> --


Willie Matthews
matthews.willie80@gmail.com
702-659-9966

[-- Attachment #2: Type: text/html, Size: 977 bytes --]

Re: [gentoo-user] blocking facebook

[thelma]

On 12/11/2015 08:29 PM, Willie M wrote:
> If that is the only website you want to block use /etc/hosts. Point it
> towards your own computer. "127.0.0.1  facebook.com".

That will work, but if they will use boot VirtualBox Windows it will
by-pass that setting.

--
Thelma


> On Fri, Dec 11, 2015, 7:04 PM  <thelma@sys-concept.com> wrote:
> 
>> Does anybody have an idea how to block facebook?
>>
>> I'm using dd-wrt.  The "access restriction" can block http but not https
>> and I'm not good in iptables :-/
>> In addition users are using VirtualBox on the network as well.

Re: [gentoo-user] blocking facebook

[Willie M]

[-- Attachment #1: Type: text/plain, Size: 968 bytes --]

If you use nat on iptables, it will also bypass it while using NAT. Change
the DNS server on virtualbox with doing something on dd-wrt it will also
bypass it. You have to keep dealing with it. There will always be a way to
bypass.

On Fri, Dec 11, 2015, 7:38 PM  <thelma@sys-concept.com> wrote:

> On 12/11/2015 08:29 PM, Willie M wrote:
> > If that is the only website you want to block use /etc/hosts. Point it
> > towards your own computer. "127.0.0.1  facebook.com".
>
> That will work, but if they will use boot VirtualBox Windows it will
> by-pass that setting.
>
> --
> Thelma
>
>
> > On Fri, Dec 11, 2015, 7:04 PM  <thelma@sys-concept.com> wrote:
> >
> >> Does anybody have an idea how to block facebook?
> >>
> >> I'm using dd-wrt.  The "access restriction" can block http but not https
> >> and I'm not good in iptables :-/
> >> In addition users are using VirtualBox on the network as well.
>
> --


Willie Matthews
matthews.willie80@gmail.com
702-659-9966

[-- Attachment #2: Type: text/html, Size: 1619 bytes --]

Re: [gentoo-user] blocking facebook

[pc0147 Sistemas Will_ecg]

[-- Attachment #1: Type: text/plain, Size: 1300 bytes --]

With iptables you can use the next:
	iptables -I OUTPUT -m string --string 'facebook' --algo bm -j
DROP
	iptables -I FORDWARD -m string --string 'facebook' --algo bm -j DROP
And that is all.
El sáb, 12-12-2015 a las 03:54 +0000, Willie M escribió:
> If you use nat on iptables, it will also bypass it while using NAT.
> Change the DNS server on virtualbox with doing something on dd-wrt it
> will also bypass it. You have to keep dealing with it. There will
> always be a way to bypass.
> 
> On Fri, Dec 11, 2015, 7:38 PM  <thelma@sys-concept.com> wrote:
> > On 12/11/2015 08:29 PM, Willie M wrote:
> > > If that is the only website you want to block use /etc/hosts.
> > Point it
> > > towards your own computer. "127.0.0.1  facebook.com".
> > 
> > That will work, but if they will use boot VirtualBox Windows it
> > will
> > by-pass that setting.
> > 
> > --
> > Thelma
> > 
> > 
> > > On Fri, Dec 11, 2015, 7:04 PM  <thelma@sys-concept.com> wrote:
> > >
> > >> Does anybody have an idea how to block facebook?
> > >>
> > >> I'm using dd-wrt.  The "access restriction" can block http but
> > not https
> > >> and I'm not good in iptables :-/
> > >> In addition users are using VirtualBox on the network as well.
> > 
> > 
> -- 
> 
> Willie Matthews
> matthews.willie80@gmail.com
> 702-659-9966

[-- Attachment #2: Type: text/html, Size: 2426 bytes --]

Re: [gentoo-user] blocking facebook

[Simon Thelen]

On 15-12-11 at 20:03, thelma@sys-concept.com wrote:
> Does anybody have an idea how to block facebook?
The only way to blacklist facebook would be to create a whitelist and
drop everything not on said whitelist.

If you block DNS, they can use a different DNS server. If you block IP
addresses they'll use a proxy/vpn. If you use deep packet inspection
they'll use TLS or a VPN or an SSH tunnel.

If you can control the systems so that they don't do any of the above,
it's possible but you've admitted that you can't (unless you can
control all the Virtualbox instances).
 
-- 
Simon Thelen

Re: [gentoo-user] blocking facebook

[Simon Thelen]

On 15-12-12 at 05:05, Simon Thelen wrote:
> On 15-12-11 at 20:03, thelma@sys-concept.com wrote:
> > Does anybody have an idea how to block facebook?
> The only way to blacklist facebook would be to create a whitelist and
> drop everything not on said whitelist.
Oh, and even that's not easy.

Finding and creating a whitelist that ensures necessary stuff gets done
without allowing people to bypass blocks is almost impossible. Getting
around these sorts of blocks isn't a matter of theoretical possibility,
it's a matter of someone putting in enough time and effort into
bypassing it. If you don't have complete control over all devices all
the time, you might as well just give up.

-- 
Simon Thelen

Re: [gentoo-user] blocking facebook

[thelma]

On 12/11/2015 09:05 PM, Simon Thelen wrote:
> On 15-12-11 at 20:03, thelma@sys-concept.com wrote:
>> Does anybody have an idea how to block facebook?
> The only way to blacklist facebook would be to create a whitelist and
> drop everything not on said whitelist.
> 
> If you block DNS, they can use a different DNS server. If you block IP
> addresses they'll use a proxy/vpn. If you use deep packet inspection
> they'll use TLS or a VPN or an SSH tunnel.
> 
> If you can control the systems so that they don't do any of the above,
> it's possible but you've admitted that you can't (unless you can
> control all the Virtualbox instances).

The users are not that knowledgeable to do any of that DNS, proxy/vpn etc.
I know VirtualBox IP address and can block the page "facebook" for
individual IP or certain range in dd-wrt.  But my problem is getting the
dd-wrt "access control" to recognize and block "https".
Trying to block by URL: https://www.facebook.com/ doesn't work.

--
Thelma

Re: [gentoo-user] blocking facebook

[Dale]

thelma@sys-concept.com wrote:
> On 12/11/2015 09:05 PM, Simon Thelen wrote:
>> On 15-12-11 at 20:03, thelma@sys-concept.com wrote:
>>> Does anybody have an idea how to block facebook?
>> The only way to blacklist facebook would be to create a whitelist and
>> drop everything not on said whitelist.
>>
>> If you block DNS, they can use a different DNS server. If you block IP
>> addresses they'll use a proxy/vpn. If you use deep packet inspection
>> they'll use TLS or a VPN or an SSH tunnel.
>>
>> If you can control the systems so that they don't do any of the above,
>> it's possible but you've admitted that you can't (unless you can
>> control all the Virtualbox instances).
> The users are not that knowledgeable to do any of that DNS, proxy/vpn etc.
> I know VirtualBox IP address and can block the page "facebook" for
> individual IP or certain range in dd-wrt.  But my problem is getting the
> dd-wrt "access control" to recognize and block "https".
> Trying to block by URL: https://www.facebook.com/ doesn't work.
>
> --
> Thelma
>
>
>


They may not now but I just did a quick search on startpage on how to
unblock facebook and I got a ton of hits including videos on youtube. 
They may not know how right now but after you block it, they will
shortly after.  On the plus side, you may have some budding computer
geeks coming along. 

Anyone else remember those parental control programs that rarely if ever
worked?  ROFL   Most teens could get past those in seconds if not a
minute or two.  ;-)

Dale

:-)  :-) 

Re: [gentoo-user] blocking facebook

[waltdnes]

On Fri, Dec 11, 2015 at 08:03:14PM -0700, thelma@sys-concept.com wrote
> Does anybody have an idea how to block facebook?
> 
> I'm using dd-wrt.  The "access restriction" can block http but not https
> and I'm not good in iptables :-/
> In addition users are using VirtualBox on the network as well.

  An excerpt from my /var/lib/iptables/rules-save ruleset...

[0:0] -A INPUT -s 31.13.24.0/21 -j FECESBOOK
[154:11168] -A INPUT -s 31.13.64.0/18 -j FECESBOOK
[0:0] -A INPUT -s 66.220.144.0/20 -j FECESBOOK
[0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
[0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
[0:0] -A INPUT -s 74.119.76.0/22 -j FECESBOOK
[0:0] -A INPUT -s 103.4.96.0/22 -j FECESBOOK
[0:0] -A INPUT -s 173.252.64.0/18 -j FECESBOOK
[0:0] -A INPUT -s 204.15.20.0/22 -j FECESBOOK

[0:0] -A OUTPUT -d 31.13.24.0/21 -j FECESBOOK
[3763325:225839770] -A OUTPUT -d 31.13.64.0/18 -j FECESBOOK
[56:3360] -A OUTPUT -d 66.220.144.0/20 -j FECESBOOK
[0:0] -A OUTPUT -d 69.63.176.0/20 -j FECESBOOK
[874:52440] -A OUTPUT -d 69.171.224.0/19 -j FECESBOOK
[0:0] -A OUTPUT -d 74.119.76.0/22 -j FECESBOOK
[0:0] -A OUTPUT -d 103.4.96.0/22 -j FECESBOOK
[3306:198360] -A OUTPUT -d 173.252.64.0/18 -j FECESBOOK
[0:0] -A OUTPUT -d 204.15.20.0/22 -j FECESBOOK

[3767715:226105098] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6
[3767715:226105098] -A FECESBOOK -j DROP

  It's OK to change the numbers in brackets to [0:0].  They represent
the number of [packets:bytes] since the rule was last updated.  Which
block has the most traffic depends on which part of the planet you're
on.  Here in Toronto, Canada outbound traffic to the 31.13.64.0/18
block, specifically 31.13.80.3, is the most common hit.  This comes from
websites with Facebook beacons trying to track every man and his dog.

  You'll notice the occasional website with a small rectangle that says
"...can't establish a connection to the server at...".  Insert your
browser's name at the left, and the website name (Facebook,
ad.doubleclick.net, etc) at the right.

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] blocking facebook

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 2514 bytes --]

On Sat, 12 Dec 2015 01:29:20 -0500 waltdnes@waltdnes.org wrote:
> On Fri, Dec 11, 2015 at 08:03:14PM -0700, thelma@sys-concept.com wrote
> > Does anybody have an idea how to block facebook?
> > 
> > I'm using dd-wrt.  The "access restriction" can block http but not https
> > and I'm not good in iptables :-/
> > In addition users are using VirtualBox on the network as well.
> 
>   An excerpt from my /var/lib/iptables/rules-save ruleset...
> 
> [0:0] -A INPUT -s 31.13.24.0/21 -j FECESBOOK
> [154:11168] -A INPUT -s 31.13.64.0/18 -j FECESBOOK
> [0:0] -A INPUT -s 66.220.144.0/20 -j FECESBOOK
> [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
> [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
> [0:0] -A INPUT -s 74.119.76.0/22 -j FECESBOOK
> [0:0] -A INPUT -s 103.4.96.0/22 -j FECESBOOK
> [0:0] -A INPUT -s 173.252.64.0/18 -j FECESBOOK
> [0:0] -A INPUT -s 204.15.20.0/22 -j FECESBOOK
> 
> [0:0] -A OUTPUT -d 31.13.24.0/21 -j FECESBOOK
> [3763325:225839770] -A OUTPUT -d 31.13.64.0/18 -j FECESBOOK
> [56:3360] -A OUTPUT -d 66.220.144.0/20 -j FECESBOOK
> [0:0] -A OUTPUT -d 69.63.176.0/20 -j FECESBOOK
> [874:52440] -A OUTPUT -d 69.171.224.0/19 -j FECESBOOK
> [0:0] -A OUTPUT -d 74.119.76.0/22 -j FECESBOOK
> [0:0] -A OUTPUT -d 103.4.96.0/22 -j FECESBOOK
> [3306:198360] -A OUTPUT -d 173.252.64.0/18 -j FECESBOOK
> [0:0] -A OUTPUT -d 204.15.20.0/22 -j FECESBOOK
> 
> [3767715:226105098] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6
> [3767715:226105098] -A FECESBOOK -j DROP

+1. Just block their CIDR ranges. No need to do DPI like was
suggested here. Of course smart users can use proxies or tunneling,
so this is not 100% solution, but for the majority it will work.

Just a tip here: use ipset hash:net for all this ranges and just a
few iptables rules to check src and dst in FORWARD and/or
INPUT/OUTPUT depending on whether host is router or target system,
e.g. for dd-wrt will be sufficient:

iptables -A FORWARD -m set --match-set facebook src -j DROP
iptables -A FORWARD -m set --match-set facebook dst -j DROP

A set can be created like this:

ipset create facebook hash:net
ipset add facebook 31.13.24.0/21
...

Of course logging may be enabled as above if desired.

This way filtering will be much faster and blocklist may be updated
without touching iptables rules. Gentoo init script support ipset
rules save/load as well as iptables.

Do not forget about ipv6 if it is enabled on your network.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-user] blocking facebook

[Michael Schwartzkopff]

[-- Attachment #1: Type: text/plain, Size: 856 bytes --]

Am Freitag, 11. Dezember 2015, 20:03:14 schrieb thelma@sys-concept.com:
> Does anybody have an idea how to block facebook?
> 
> I'm using dd-wrt.  The "access restriction" can block http but not https
> and I'm not good in iptables :-/
> In addition users are using VirtualBox on the network as well.

You need to inspect the traffic on layer 7. The best way to acchieve this to add 
the deep packet inspection library to netfilter. Then you can filter specific 
websites.

Or you use a proxy and filter the site.

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 230 bytes --]

Re: [gentoo-user] blocking facebook

[Alan McKinnon]

On 12/12/2015 05:03, thelma@sys-concept.com wrote:
> Does anybody have an idea how to block facebook?
> 
> I'm using dd-wrt.  The "access restriction" can block http but not https
> and I'm not good in iptables :-/
> In addition users are using VirtualBox on the network as well.
> 


When you eventually get this in place, what are you going to do when the
marketing people want to update the company's own Facebook page?

Blocking facebook (or any other social site) is an exercise in futility.
You will never get it right without expending vast effort and as many
others have said people will always find ways around it. Including using
their personal phones while sitting at their desk.




-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] blocking facebook

[John Runyon]

I used to volunteer at the local high school. They would redirect both http and https through their content filter (I'm not sure how they worked around SSL warnings exactly - maybe just a wildcard certificate for *? I know it was signed by a CA they had generated and installed on every school computer).

Other than that the best you can hope for is preventing DNS from resolving it. Add to dnsmasq options on your router "-A /facebook.com/fbcdn.net/".

-A: Specify an IP address to return for any host in the given domains. Queries in the domains are never forwarded and always replied to with the specified IP address which may be IPv4 or IPv6. 
...
one or more domains with no address returns a no-such-domain answer, so --address=/example.com/ is equivalent to --server=/example.com/ and returns NXDOMAIN for example.com and all its subdomains.

-John
Sent from my phone

Simon Thelen <gentoo-user@c-14.de> wrote:

>On 15-12-11 at 20:03, thelma@sys-concept.com wrote:
>> Does anybody have an idea how to block facebook?
>The only way to blacklist facebook would be to create a whitelist and
>drop everything not on said whitelist.
>
>If you block DNS, they can use a different DNS server. If you block IP
>addresses they'll use a proxy/vpn. If you use deep packet inspection
>they'll use TLS or a VPN or an SSH tunnel.
>
>If you can control the systems so that they don't do any of the above,
>it's possible but you've admitted that you can't (unless you can
>control all the Virtualbox instances).
> 
>-- 
>Simon Thelen
>