Blocking facebook.com: PF or squid?

classic Classic list List threaded Threaded
34 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Blocking facebook.com: PF or squid?

Stefan Wollny-2
Hi there,

having a personal dislike of Facebook (and the MeeToo-systems alike)
for their impertinent sniffing for private data I tried on my laptop to
block facebook.com via hosts-file. Interestingly this failed: Calling
"http://www.facebook.com" always resulted in a lookup for
"httpS://www.facebook.com" and the respective site showed up in the
browser (tried firefox and xombrero).

Well: Beside excepting the fact that those facebook engineers did a
fine job circumventing the entrys in /etc/hosts I felt immediatly
insecure: The reports on this company's attitude towards even
non-customers privacy are legendary. Their respective track record
earns them the honorable title of "NSA's fittest supporter"...

Anyway: I think I finally managed to block all their IPs via PF and on
this laptop I now feel a little less 'observed'. [Yes, I know - this is
just today's snapshot of IPs!]

My question is on the squid-server I have running at home: What
would make more sense - blocking facebook.com via pf.conf alike or are
there reasons to use squid's ACL instead? Performance? Being
ultra-paranoid and implementing both (or even additionally the
hosts-file-block?)? From my understanding squid should not be able to
block https-traffic as it is encrypted - or am I wrong here?

Curious if there is a particular (Open)BSD solution or simply how you
'guys and gals' would do it.

Thank you for sharing your thoughts.

Cheers,
STEFAN

Reply | Threaded
Open this post in threaded view
|

Re: Blocking facebook.com: PF or squid?

bitfrost
Regards,

The way it gets blocked (but not all for a wise kid) properly is via CDIR and
block DNS via OpenDNS services


Greetings.


2013/10/18 Stefan Wollny <[hidden email]>

> Hi there,
>
> having a personal dislike of Facebook (and the MeeToo-systems alike)
> for their impertinent sniffing for private data I tried on my laptop to
> block facebook.com via hosts-file. Interestingly this failed: Calling
> "http://www.facebook.com" always resulted in a lookup for
> "httpS://www.facebook.com" and the respective site showed up in the
> browser (tried firefox and xombrero).
>
> Well: Beside excepting the fact that those facebook engineers did a
> fine job circumventing the entrys in /etc/hosts I felt immediatly
> insecure: The reports on this company's attitude towards even
> non-customers privacy are legendary. Their respective track record
> earns them the honorable title of "NSA's fittest supporter"...
>
> Anyway: I think I finally managed to block all their IPs via PF and on
> this laptop I now feel a little less 'observed'. [Yes, I know - this is
> just today's snapshot of IPs!]
>
> My question is on the squid-server I have running at home: What
> would make more sense - blocking facebook.com via pf.conf alike or are
> there reasons to use squid's ACL instead? Performance? Being
> ultra-paranoid and implementing both (or even additionally the
> hosts-file-block?)? From my understanding squid should not be able to
> block https-traffic as it is encrypted - or am I wrong here?
>
> Curious if there is a particular (Open)BSD solution or simply how you
> 'guys and gals' would do it.
>
> Thank you for sharing your thoughts.
>
> Cheers,
> STEFAN
>
>


--
Atentamente

Andrés Genovez Tobar / DTIT
Perfil profesional http://lnkd.in/gcdhJE

Reply | Threaded
Open this post in threaded view
|

Re: Blocking facebook.com: PF or squid?

Eric Johnson
In reply to this post by Stefan Wollny-2
On Sat, 19 Oct 2013, Stefan Wollny wrote:

> Hi there,
>
> having a personal dislike of Facebook (and the MeeToo-systems alike)
> for their impertinent sniffing for private data I tried on my laptop to
> block facebook.com via hosts-file. Interestingly this failed: Calling
> "http://www.facebook.com" always resulted in a lookup for
> "httpS://www.facebook.com" and the respective site showed up in the
> browser (tried firefox and xombrero).
>
> ...
>
> Curious if there is a particular (Open)BSD solution or simply how you
> 'guys and gals' would do it.
>
> Thank you for sharing your thoughts.

One possibilty off the top of my head would be to log all DNS requests to
syslog and then use syslogc to get a live running stream of DNS requests
from a syslog memory buffer.  Then whenever you see a DNS request for
anything to do with facebook, add the ip address of the requestor to a pf
table and block their web browsing.  After about three to five minutes,
remove the ip address from the table.

If every time they try to access facebook, their web browser quits working
for a few minutes they might get the message.

Eric

Reply | Threaded
Open this post in threaded view
|

Re: Blocking facebook.com: PF or squid?

Marios Makassikis-2
In reply to this post by Stefan Wollny-2
On 19 October 2013 00:27, Stefan Wollny <[hidden email]> wrote:

>
> Hi there,
>
> having a personal dislike of Facebook (and the MeeToo-systems alike)
> for their impertinent sniffing for private data I tried on my laptop to
> block facebook.com via hosts-file. Interestingly this failed: Calling
> "http://www.facebook.com" always resulted in a lookup for
> "httpS://www.facebook.com" and the respective site showed up in the
> browser (tried firefox and xombrero).
>
> Well: Beside excepting the fact that those facebook engineers did a
> fine job circumventing the entrys in /etc/hosts I felt immediatly
> insecure: The reports on this company's attitude towards even
> non-customers privacy are legendary. Their respective track record
> earns them the honorable title of "NSA's fittest supporter"...
>
> Anyway: I think I finally managed to block all their IPs via PF and on
> this laptop I now feel a little less 'observed'. [Yes, I know - this is
> just today's snapshot of IPs!]
>

Did you block individual IPs or complete subnets ? Performing DNS resolution
on facebook.com and fbcdn.net yields the 173.252.64.0/18 subnet.
Blocking it is one additional PF rule or just updating a table of
already blocked subnets / IPs.

> My question is on the squid-server I have running at home: What
> would make more sense - blocking facebook.com via pf.conf alike or are
> there reasons to use squid's ACL instead? Performance? Being
> ultra-paranoid and implementing both (or even additionally the
> hosts-file-block?)? From my understanding squid should not be able to
> block https-traffic as it is encrypted - or am I wrong here?
>
> Curious if there is a particular (Open)BSD solution or simply how you
> 'guys and gals' would do it.


Having squid running on your laptop just to block facebook is way overkill IMHO.

Rather than populating (polluting?) your hosts file, I think using
adsuck[1] would be
simpler get you similar results, especially if you don't want to use
an external service
such as OpenDNS.

It is available as a OpenBSD package, and it's easily configured to
block more than
just facebook.

Marios


[1] https://opensource.conformal.com/wiki/adsuck


>
>
> Thank you for sharing your thoughts.
>
> Cheers,
> STEFAN

Reply | Threaded
Open this post in threaded view
|

Re: Blocking facebook.com: PF or squid?

Stefan Wollny-2
In reply to this post by bitfrost
Hi Andres,

yes - I have read about OpenDNS' services and that many out there are
really happy with them.

But I try to do my homework first before relying on s.o.
else: I _do_ have this OpenBSD-based squid-server - why not use it to
it's full potential? Might not be a big deal traffic-wise, but it
adds up...

Anyway - thank you for sharing.

Regards,
STEFAN


Am Fri, 18 Oct 2013 17:42:31 -0500
schrieb Andres Genovez <[hidden email]>:

> Regards,
>
> The way it gets blocked (but not all for a wise kid) properly is via
> CDIR and block DNS via OpenDNS services
>
>
> Greetings.
>
>
> 2013/10/18 Stefan Wollny <[hidden email]>
>
> > Hi there,
> >
> > having a personal dislike of Facebook (and the MeeToo-systems alike)
> > for their impertinent sniffing for private data I tried on my
> > laptop to block facebook.com via hosts-file. Interestingly this
> > failed: Calling "http://www.facebook.com" always resulted in a
> > lookup for "httpS://www.facebook.com" and the respective site
> > showed up in the browser (tried firefox and xombrero).
> >
> > Well: Beside excepting the fact that those facebook engineers did a
> > fine job circumventing the entrys in /etc/hosts I felt immediatly
> > insecure: The reports on this company's attitude towards even
> > non-customers privacy are legendary. Their respective track record
> > earns them the honorable title of "NSA's fittest supporter"...
> >
> > Anyway: I think I finally managed to block all their IPs via PF and
> > on this laptop I now feel a little less 'observed'. [Yes, I know -
> > this is just today's snapshot of IPs!]
> >
> > My question is on the squid-server I have running at home: What
> > would make more sense - blocking facebook.com via pf.conf alike or
> > are there reasons to use squid's ACL instead? Performance? Being
> > ultra-paranoid and implementing both (or even additionally the
> > hosts-file-block?)? From my understanding squid should not be able
> > to block https-traffic as it is encrypted - or am I wrong here?
> >
> > Curious if there is a particular (Open)BSD solution or simply how
> > you 'guys and gals' would do it.
> >
> > Thank you for sharing your thoughts.
> >
> > Cheers,
> > STEFAN
> >
> >
>
>
> --
> Atentamente
>
> Andrés Genovez Tobar / DTIT
> Perfil profesional http://lnkd.in/gcdhJE
>


Mit freundlichen Grüßen,

STEFAN WOLLNY

Regulatory Reporting Consultancy
Tel.: +49 (0) 177 655 7875
Fax.: +49 (0) 3212 655 7875
Mail: [hidden email]
GnuPG-Key ID: 0x9C26F1D0

Reply | Threaded
Open this post in threaded view
|

Re: Blocking facebook.com: PF or squid?

Brian McCafferty
In reply to this post by Stefan Wollny-2
On 10/18/13 18:27, Stefan Wollny wrote:

> Hi there,
>
> having a personal dislike of Facebook (and the MeeToo-systems alike)
> for their impertinent sniffing for private data I tried on my laptop to
> block facebook.com via hosts-file. Interestingly this failed: Calling
> "http://www.facebook.com" always resulted in a lookup for
> "httpS://www.facebook.com" and the respective site showed up in the
> browser (tried firefox and xombrero).
>
> Well: Beside excepting the fact that those facebook engineers did a
> fine job circumventing the entrys in /etc/hosts I felt immediatly
> insecure: The reports on this company's attitude towards even
> non-customers privacy are legendary. Their respective track record
> earns them the honorable title of "NSA's fittest supporter"...
>
> Anyway: I think I finally managed to block all their IPs via PF and on
> this laptop I now feel a little less 'observed'. [Yes, I know - this is
> just today's snapshot of IPs!]
>
> My question is on the squid-server I have running at home: What
> would make more sense - blocking facebook.com via pf.conf alike or are
> there reasons to use squid's ACL instead? Performance? Being
> ultra-paranoid and implementing both (or even additionally the
> hosts-file-block?)? From my understanding squid should not be able to
> block https-traffic as it is encrypted - or am I wrong here?
>
> Curious if there is a particular (Open)BSD solution or simply how you
> 'guys and gals' would do it.
>
> Thank you for sharing your thoughts.
>
> Cheers,
> STEFAN
>
>
>

If you use dhclient on your laptop, I think you need to make sure to
specify "lookup file bind" (the search order) to have the hosts file
checked before DNS server. ie- in resolv.conf.tail
bind file is the default.
So then you can add 127.0.0.1 facebook.com to the host file.

Reply | Threaded
Open this post in threaded view
|

Re: Blocking facebook.com: PF or squid?

Aaron
In reply to this post by Stefan Wollny-2
On 10/18/13 18:27, Stefan Wollny wrote:

> Hi there,
>
> having a personal dislike of Facebook (and the MeeToo-systems alike)
> for their impertinent sniffing for private data I tried on my laptop to
> block facebook.com via hosts-file. Interestingly this failed: Calling
> "http://www.facebook.com" always resulted in a lookup for
> "httpS://www.facebook.com" and the respective site showed up in the
> browser (tried firefox and xombrero).
>
> Well: Beside excepting the fact that those facebook engineers did a
> fine job circumventing the entrys in /etc/hosts I felt immediatly
> insecure: The reports on this company's attitude towards even
> non-customers privacy are legendary. Their respective track record
> earns them the honorable title of "NSA's fittest supporter"...
>
> Anyway: I think I finally managed to block all their IPs via PF and on
> this laptop I now feel a little less 'observed'. [Yes, I know - this is
> just today's snapshot of IPs!]
>
> My question is on the squid-server I have running at home: What
> would make more sense - blocking facebook.com via pf.conf alike or are
> there reasons to use squid's ACL instead? Performance? Being
> ultra-paranoid and implementing both (or even additionally the
> hosts-file-block?)? From my understanding squid should not be able to
> block https-traffic as it is encrypted - or am I wrong here?
>
> Curious if there is a particular (Open)BSD solution or simply how you
> 'guys and gals' would do it.
>
> Thank you for sharing your thoughts.
>
> Cheers,
> STEFAN
>
>
If you're handling DHCP for all of the traffic for your site, why not
just set up a dns server, point your dhcp clients to this DNS server and
create an authoritative zone for facebook.com that points to somewhere
other than facebook?

That's traditionally how I block traffic from our network from our users
trying to go to places other than where I wish them to.

The more savvy users could get around this altering their dns servers
manually which you can stop blocking DNS traffic out of your network,
this has the added bonus of cutting down bandwidth out of your network.

If they get really sneaky and try to put host entries in for facebook,
you can do as you've been doing, blocking IPs, and maybe creat a script
that does an hourly lookup of all facebook IPs and having it update your
pf config and then reloading pf.

Aaron

Reply | Threaded
Open this post in threaded view
|

Re: Blocking facebook.com: PF or squid?

Stefan Wollny-2
In reply to this post by Brian McCafferty
Am Fri, 18 Oct 2013 19:21:44 -0400
schrieb Brian McCafferty <[hidden email]>:

[ ... ]
> If you use dhclient on your laptop, I think you need to make sure to
> specify "lookup file bind" (the search order) to have the hosts file
> checked before DNS server. ie- in resolv.conf.tail
> bind file is the default.
> So then you can add 127.0.0.1 facebook.com to the host file.
>

Hi Brian,

good point - I had resolv.conf.tail disabled when setting up adsuck on
the laptop. Will test this tomorrow.

Still the question is: As the squid-server at home is dedicated to be
"just a proxy" I am not shure if adsuck is the right tool on this
machine. Prior to trying my luck with adsuck on the laptop I had only
the entries for facebook in the hosts-file - with no effect. This is
why I am about to either use pf.conf on the server as well or a
squid-ACL.

Thank you for joining the discussion.

Regards,
STEFAN

Mit freundlichen Grüßen,

STEFAN WOLLNY

Regulatory Reporting Consultancy
Tel.: +49 (0) 177 655 7875
Fax.: +49 (0) 3212 655 7875
Mail: [hidden email]
GnuPG-Key ID: 0x9C26F1D0

Reply | Threaded
Open this post in threaded view
|

Re: Blocking facebook.com: PF or squid?

Stefan Wollny-2
In reply to this post by Aaron
Am Fri, 18 Oct 2013 19:33:11 -0400
schrieb mia <[hidden email]>:
[ ... ]

> >
> If you're handling DHCP for all of the traffic for your site, why not
> just set up a dns server, point your dhcp clients to this DNS server
> and create an authoritative zone for facebook.com that points to
> somewhere other than facebook?
>
> That's traditionally how I block traffic from our network from our
> users trying to go to places other than where I wish them to.
>
> The more savvy users could get around this altering their dns servers
> manually which you can stop blocking DNS traffic out of your network,
> this has the added bonus of cutting down bandwidth out of your
> network.
>
> If they get really sneaky and try to put host entries in for
> facebook, you can do as you've been doing, blocking IPs, and maybe
> creat a script that does an hourly lookup of all facebook IPs and
> having it update your pf config and then reloading pf.
>
> Aaron

Hi Aaron,

this might be an other way to go. I haven't thought about this yet. The
squid-server has enough power to handle this as well (or I reactivate
an old laptop).

There are at present only two other users left who are not experienced
enough to fiddle with the DNS (at least not yet ;-) ). And other family
members  who show up occasionally get FB-access via WLAN on their
smartphones - my prime issue are stealth-connects to FB I try to
prevent. If a guest just can't live without FB I'd rather pull another
cable to the router and have effectively a 'demilitarized zone' for
them than expose the rest of the family to the wild.

Anyway: Thank you for sharing your ideas!

Regards,
STEFAN

Reply | Threaded
Open this post in threaded view
|

Re: Blocking facebook.com: PF or squid?

Stefan Wollny-2
In reply to this post by Marios Makassikis-2
Am Sat, 19 Oct 2013 01:02:58 +0200
schrieb Marios Makassikis <[hidden email]>:

Hi Marios!

[ ... ]
> >
> > Anyway: I think I finally managed to block all their IPs via PF and
> > on this laptop I now feel a little less 'observed'. [Yes, I know -
> > this is just today's snapshot of IPs!]
> >  
>
> Did you block individual IPs or complete subnets ?  
I used "whois -h whois.radb.net '!gAS32934'" to collect the subnets
first and put those into /etc/facebook. My pf.conf has this:
~~~~~~~~~~ QUOTE ~~~~~~~~~
table <facebook> persist file "/etc/facebook"
block log quick on $ExtIF from <facebook> to any
block log quick on $ExtIF from any to <facebook>
~~~~~~~~ QUOTE END ~~~~~~~

logging is just for some time to investigate if this makes sense at
all...

 Performing DNS

> resolution on facebook.com and fbcdn.net yields the 173.252.64.0/18
> subnet. Blocking it is one additional PF rule or just updating a
> table of already blocked subnets / IPs.
>  
> > My question is on the squid-server I have running at home: What
> > would make more sense - blocking facebook.com via pf.conf alike or
> > are there reasons to use squid's ACL instead? Performance? Being
> > ultra-paranoid and implementing both (or even additionally the
> > hosts-file-block?)? From my understanding squid should not be able
> > to block https-traffic as it is encrypted - or am I wrong here?
> >
> > Curious if there is a particular (Open)BSD solution or simply how
> > you 'guys and gals' would do it.  
>
>
> Having squid running on your laptop just to block facebook is way
> overkill IMHO.  

No, no: The squid is running on a regular server at home securing the
PCs and the laptop once I am around.
>
> Rather than populating (polluting?) your hosts file, I think using
> adsuck[1] would be
> simpler get you similar results, especially if you don't want to use
> an external service
> such as OpenDNS.  
Actually I startet with adsuck when I noticed that facebook manages to
circumvent entries in /etc/hosts. I might have done s.th. wrong but on
my laptop any lookup for facebook.com got redirected to 'https' and
those lines in /var/adsuck/hosts.small had no effect:
# [Facebook]
127.0.0.1  fbstatic-a.akamaihd.net
127.0.0.1  fbcdn-dragon-a.akamaihd.net
127.0.0.1  facebook.com
127.0.0.1  www.facebook.com
127.0.0.1  facebook.de
127.0.0.1  de-de.facebook.com

>
> It is available as a OpenBSD package, and it's easily configured to
> block more than
> just facebook.  
This is what I had expected.

>
> Marios
>
>
> [1] https://opensource.conformal.com/wiki/adsuck
>  
Thanks a lot for your time to reply!

Regards,
STEFAN

Reply | Threaded
Open this post in threaded view
|

Re: Blocking facebook.com: PF or squid?

Stefan Wollny-2
In reply to this post by Eric Johnson
Am Fri, 18 Oct 2013 18:02:55 -0500 (CDT)
schrieb Eric Johnson <[hidden email]>:

> On Sat, 19 Oct 2013, Stefan Wollny wrote:
>
> > Hi there,
> >
> > having a personal dislike of Facebook (and the MeeToo-systems alike)
> > for their impertinent sniffing for private data I tried on my
> > laptop to block facebook.com via hosts-file. Interestingly this
> > failed: Calling "http://www.facebook.com" always resulted in a
> > lookup for "httpS://www.facebook.com" and the respective site
> > showed up in the browser (tried firefox and xombrero).
> >
> > ...
> >
> > Curious if there is a particular (Open)BSD solution or simply how
> > you 'guys and gals' would do it.
> >
> > Thank you for sharing your thoughts.
>
> One possibilty off the top of my head would be to log all DNS
> requests to syslog and then use syslogc to get a live running stream
> of DNS requests from a syslog memory buffer.  Then whenever you see a
> DNS request for anything to do with facebook, add the ip address of
> the requestor to a pf table and block their web browsing.  After
> about three to five minutes, remove the ip address from the table.
>
> If every time they try to access facebook, their web browser quits
> working for a few minutes they might get the message.
>
> Eric
>

Hi Eric,

sounds pretty nifty to me - this is s.th. I might use at another
site next year. But for my home-network probably a little oversized
(though a good learning exercise :-) ).

Anyway: Thank you for sharing!

Regards,
STEFAN


Mit freundlichen Grüßen,

STEFAN WOLLNY

Regulatory Reporting Consultancy
Tel.: +49 (0) 177 655 7875
Fax.: +49 (0) 3212 655 7875
Mail: [hidden email]
GnuPG-Key ID: 0x9C26F1D0

Reply | Threaded
Open this post in threaded view
|

Re: Blocking facebook.com: PF or squid?

Clint Pachl
In reply to this post by Aaron
mia wrote, On 10/18/13 16:33:
> If you're handling DHCP for all of the traffic for your site, why not
> just set up a dns server, point your dhcp clients to this DNS server
> and create an authoritative zone for facebook.com that points to
> somewhere other than facebook?

Running your own own DNS resolver is the best solution to deny the whole
network facebook access. With Unbound this is simple:

# This will block facebook.com and all subdomains.
local-zone: "facebook.com" redirect
local-data: "facebook.com A 127.0.0.1"

> The more savvy users could get around this altering their dns servers
> manually which you can stop blocking DNS traffic out of your network,
> this has the added bonus of cutting down bandwidth out of your network.
Exactly!

> If they get really sneaky and try to put host entries in for facebook,
> you can do as you've been doing, blocking IPs, and maybe creat a
> script that does an hourly lookup of all facebook IPs and having it
> update your pf config and then reloading pf.
If it gets to this point, I'd say they should lose their network
privileges. ;-) Next thing you know they will be using a proxy server to
circumvent your IP block. There's always a way around.

Reply | Threaded
Open this post in threaded view
|

Re: Blocking facebook.com: PF or squid?

Mike.
In reply to this post by Stefan Wollny-2
On 10/19/2013 at 12:27 AM Stefan Wollny wrote:

|Hi there,
|[snip]
|
|My question is on the squid-server I have running at home: What
|would make more sense - blocking facebook.com via pf.conf alike
or are
|there reasons to use squid's ACL instead? Performance? Being
|ultra-paranoid and implementing both (or even additionally the
|hosts-file-block?)? From my understanding squid should not be
able to
|block https-traffic as it is encrypted - or am I wrong here?
|
|Curious if there is a particular (Open)BSD solution or simply
how you
|'guys and gals' would do it.
 =============


I put privoxy between the browser and squid on my home network.
The privoxy mailing list has discussion about blocking facebook.

Additionally, if you're running firefox, look to see if the
ghostery plug-in would work for you.

Reply | Threaded
Open this post in threaded view
|

Re: Blocking facebook.com: PF or squid?

Chris Cappuccio
In reply to this post by Stefan Wollny-2
i'd imagine that putting 'www.facebook.com' in your hosts file will do it,
unless the browser ignores /etc/hosts

you could always use the url filtering mechanism of relayd combined
with pf redirects, but if people really want to bypass it, they'll
do proxyies (via ssh even) or remote desktop or vpn or...

why does your personal dislike of Facebook have to affect other network
users?

Stefan Wollny [[hidden email]] wrote:

> Hi there,
>
> having a personal dislike of Facebook (and the MeeToo-systems alike)
> for their impertinent sniffing for private data I tried on my laptop to
> block facebook.com via hosts-file. Interestingly this failed: Calling
> "http://www.facebook.com" always resulted in a lookup for
> "httpS://www.facebook.com" and the respective site showed up in the
> browser (tried firefox and xombrero).
>
> Well: Beside excepting the fact that those facebook engineers did a
> fine job circumventing the entrys in /etc/hosts I felt immediatly
> insecure: The reports on this company's attitude towards even
> non-customers privacy are legendary. Their respective track record
> earns them the honorable title of "NSA's fittest supporter"...
>
> Anyway: I think I finally managed to block all their IPs via PF and on
> this laptop I now feel a little less 'observed'. [Yes, I know - this is
> just today's snapshot of IPs!]
>
> My question is on the squid-server I have running at home: What
> would make more sense - blocking facebook.com via pf.conf alike or are
> there reasons to use squid's ACL instead? Performance? Being
> ultra-paranoid and implementing both (or even additionally the
> hosts-file-block?)? From my understanding squid should not be able to
> block https-traffic as it is encrypted - or am I wrong here?
>
> Curious if there is a particular (Open)BSD solution or simply how you
> 'guys and gals' would do it.
>
> Thank you for sharing your thoughts.
>
> Cheers,
> STEFAN

--
It was the Nicolatians who first coined the separation between lay and clergy.

Reply | Threaded
Open this post in threaded view
|

Re: Blocking facebook.com: PF or squid?

Sico Bruins-3
In reply to this post by Stefan Wollny-2
On Sat, Oct 19, 2013 at 12:27:38AM +0200, Stefan Wollny wrote:

> Hi there,
>
> having a personal dislike of Facebook (and the MeeToo-systems alike)
> for their impertinent sniffing for private data I tried on my laptop to
> block facebook.com via hosts-file.

<snip>

> My question is on the squid-server I have running at home: What
> would make more sense - blocking facebook.com via pf.conf alike or are
> there reasons to use squid's ACL instead? Performance? Being
> ultra-paranoid and implementing both (or even additionally the
> hosts-file-block?)? From my understanding squid should not be able to
> block https-traffic as it is encrypted - or am I wrong here?

That is a misunderstanding, squid couldn't care less about encryption.

> Curious if there is a particular (Open)BSD solution or simply how you
> 'guys and gals' would do it.

I am in a similar situation (squid at home) and I simply have a blacklist
with lines like these:

doubleclick
facebook
scorecardresearch

Works like a charm for me, and no need to look up IP address blocks
or anything like that. And since I am the only user here there's no
collateral damage. ;-)

> Thank you for sharing your thoughts.
>
> Cheers,
> STEFAN

CU, Sico.

--

Reply | Threaded
Open this post in threaded view
|

Re: Blocking facebook.com: PF or squid?

Loïc Blot-2
In reply to this post by Stefan Wollny-2
Hello Stefan,
at home, i blocked facebook by creating an empty DNS zone "facebook.com"
on my local bind server. It works like a charm.
--
Best regards,
Loïc BLOT,
UNIX systems, security and network engineer
http://www.unix-experience.fr



Le samedi 19 octobre 2013 à 00:27 +0200, Stefan Wollny a écrit :

> Hi there,
>
> having a personal dislike of Facebook (and the MeeToo-systems alike)
> for their impertinent sniffing for private data I tried on my laptop to
> block facebook.com via hosts-file. Interestingly this failed: Calling
> "http://www.facebook.com" always resulted in a lookup for
> "httpS://www.facebook.com" and the respective site showed up in the
> browser (tried firefox and xombrero).
>
> Well: Beside excepting the fact that those facebook engineers did a
> fine job circumventing the entrys in /etc/hosts I felt immediatly
> insecure: The reports on this company's attitude towards even
> non-customers privacy are legendary. Their respective track record
> earns them the honorable title of "NSA's fittest supporter"...
>
> Anyway: I think I finally managed to block all their IPs via PF and on
> this laptop I now feel a little less 'observed'. [Yes, I know - this is
> just today's snapshot of IPs!]
>
> My question is on the squid-server I have running at home: What
> would make more sense - blocking facebook.com via pf.conf alike or are
> there reasons to use squid's ACL instead? Performance? Being
> ultra-paranoid and implementing both (or even additionally the
> hosts-file-block?)? From my understanding squid should not be able to
> block https-traffic as it is encrypted - or am I wrong here?
>
> Curious if there is a particular (Open)BSD solution or simply how you
> 'guys and gals' would do it.
>
> Thank you for sharing your thoughts.
>
> Cheers,
> STEFAN

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Reply | Threaded
Open this post in threaded view
|

Re: Blocking facebook.com: PF or squid?

Eric Furman-3
In reply to this post by Sico Bruins-3
Holy Jesus, nobody read this guys email.
He is not an administrator trying to block users
access to facebook, he just doesn't want facebook snooping
him when he visits other websites.
He has been given the right answer already.
Adsuck will solve all of his problems.
It will block facebook and any others he chooses.


On Sat, Oct 19, 2013, at 04:36 AM, Sico Bruins wrote:

> On Sat, Oct 19, 2013 at 12:27:38AM +0200, Stefan Wollny wrote:
>
> > Hi there,
> >
> > having a personal dislike of Facebook (and the MeeToo-systems alike)
> > for their impertinent sniffing for private data I tried on my laptop to
> > block facebook.com via hosts-file.
>
> <snip>
>
> > My question is on the squid-server I have running at home: What
> > would make more sense - blocking facebook.com via pf.conf alike or are
> > there reasons to use squid's ACL instead? Performance? Being
> > ultra-paranoid and implementing both (or even additionally the
> > hosts-file-block?)? From my understanding squid should not be able to
> > block https-traffic as it is encrypted - or am I wrong here?
>
> That is a misunderstanding, squid couldn't care less about encryption.
>
> > Curious if there is a particular (Open)BSD solution or simply how you
> > 'guys and gals' would do it.
>
> I am in a similar situation (squid at home) and I simply have a blacklist
> with lines like these:
>
> doubleclick
> facebook
> scorecardresearch
>
> Works like a charm for me, and no need to look up IP address blocks
> or anything like that. And since I am the only user here there's no
> collateral damage. ;-)
>
> > Thank you for sharing your thoughts.
> >
> > Cheers,
> > STEFAN
>
> CU, Sico.
>
> --

Reply | Threaded
Open this post in threaded view
|

Re: Blocking facebook.com: PF or squid?

Sico Bruins-3
On Sat, Oct 19, 2013 at 05:42:04AM -0400, Eric Furman wrote:

> Holy Jesus, nobody read this guys email.
> He is not an administrator trying to block users
> access to facebook, he just doesn't want facebook snooping
> him when he visits other websites.
> He has been given the right answer already.
> Adsuck will solve all of his problems.
> It will block facebook and any others he chooses.

[stuff deleted for brevity]

As usual I read the whole thread before even considering replying.

Since I am in a similar situation (using squid as a Web proxy at
home) and noone seemed to have anything to contribute about doing
it with squid ACLs I thought I'd share my experiences with the same
'problem' as the OP has.

Nice thing about unix is that there's usually more than one way to
do things, and the OP indicated just that fact in the Subject line.

You should have called my reply off-topic, I might have agreed and
said sorry for it. ;-)

[rest deleted for brevity]

CU, Sico.

--

Reply | Threaded
Open this post in threaded view
|

Re: Blocking facebook.com: PF or squid?

Craig Skinner-3
In reply to this post by Stefan Wollny-2
On 2013-10-19 Sat 01:56 AM |, Stefan Wollny wrote:
>
> No, no: The squid is running on a regular server at home securing the
> PCs and the laptop once I am around.

Maybe feed a modified version of this list to Squid (fb ad servers are
in there, adjust to block the whole thing):
http://pgl.yoyo.org/as/serverlist.php?hostformat=squid-dstdom-regex&showintro=0&startdate[day]=&startdate[month]=&startdate[year]=&mimetype=plaintext

A Squid idea which I've been meaning to try with the above
(needs mods: 'wget' should be 'ftp', should use /etc/rc.d/squid)
I run squid chrooted, so further mods needed for that too.
https://calomel.org/squid_adservers.html

DNS ideas which I use to block some advertising & other junk:
http://www.deer-run.com/~hal/sysadmin/dns-advert.html
http://www.holland-consulting.net/tech/imblock.html
http://box.matto.nl/dnsadblok.html

For my laptop when away from home, I've found the Firefox plugin 'Block
site' works:
https://addons.mozilla.org/En-us/firefox/addon/blocksite/

And another FX addon:
http://adblockplus.org/

Reply | Threaded
Open this post in threaded view
|

Re: Blocking facebook.com: PF or squid?

Mike.
In reply to this post by Chris Cappuccio
On 10/18/2013 at 8:41 PM Chris Cappuccio wrote:

|i'd imagine that putting 'www.facebook.com' in your hosts file
will do it,
|unless the browser ignores /etc/hosts
|
|[snip]
 =============


Don't forget to also block  fbcdn.com, fbcdn.net and fb.com

12