Re: How to block facebook access

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: How to block facebook access

Littlefield, Tyler
make your proxy just blacklist facebook.com and m.facebook.com?
Blocking it will just let them view it on their phones though, so you're
looking at a different issue altogether.
On 8/19/2017 2:20 PM, Ernie Luzar wrote:

> Hello list;
>
> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users
> are using their work PC's to access facebook during work.
>
> What method would recommend to block all facebook access?
>
> `
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[hidden email]"


--

Take Care,
Tyler Littlefield

Tyler Littlefield Consulting: website development and business
solutions. <http://tylerlittlefield.me> My personal site
<http://tysdomain.com> My Linkedin
<https://www.linkedin.com/in/ty-lerlittlefield> @Sorressean on Twitter
<http://twitter.com/sorressean>
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: How to block facebook access

Polytropon
On Sat, 19 Aug 2017 14:20:48 -0400, Ernie Luzar wrote:
> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users
> are using their work PC's to access facebook during work.
>
> What method would recommend to block all facebook access?

That's quite easy: Block the IPs that belong to Facebook,
for example 185.60.216.35 and 157.240.20.36. Instead of
blocking them, you could also redirect them to your internal
web server which displays a nice "Back to work!" motivational
image. ;-)

However, this will only work from within your LAN. If the
users are able to access a WLAN with their smartphones, or
use their smartphones to connect to the Internet, the main
problem - probably any "doing Facebook at work" - cannot
be solved that easily. But you can get your "work-related
resources" to not being able to access Facebook.



--
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: How to block facebook access

Polytropon
In reply to this post by Littlefield, Tyler
On Sat, 19 Aug 2017 16:41:20 -0400, Ernie Luzar wrote:

>
> > On 8/19/2017 2:20 PM, Ernie Luzar wrote:
> >> Hello list;
> >>
> >> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users
> >> are using their work PC's to access facebook during work.
> >>
> >> What method would recommend to block all facebook access?
> >>
>
>  > Littlefield, Tyler wrote:
>  > make your proxy just blacklist facebook.com and m.facebook.com?
>  > Blocking it will just let them view it on their phones though, so
>  > you're looking at a different issue altogether.
>
> Already blocking 15 facebook login ip address which can be added to or
> changes by FB anytime.

Yes, that is one of the core problems: You do not have control
over Facebook's network configuration. :-)

On the IP level, you can maintain a list of IPs to block. And
you could use resolver modification to do this for you, for
example when the IP for a certain Facebook service or page
changes, using the resolver its new IP will be added to the
block list. With this approach, you can block using both
numeric IPs and domain name strings (which of course resolve
to IPs, too).

Maybe it would be a lot easier if you could just switch to
whitelisting - define the IPs _allowed_ for the users. This
will surely introduce new problems like "I cannot access a
web site which I need for work, please verify and whitelist",
which is something you cannot fully automate.



> On the company floor we have a cell phone signal jammer, so employees
> are forced to leave building to use their cell phones which make them
> show up on security video. Since we started that last January, people
> just turn off their cell phones at work.

Do you have some specific workplace policy that explicitely
prohibits the use of non-work related web pages? In that case,
determine which user actually accesses Facebook and then send
them a "friendly reminder" to act according to the rules to
which they agreed, or else.




--
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Re: How to block facebook access

Edgar Pettijohn III-2
In reply to this post by Littlefield, Tyler
 
 

 
 
 

 
 
 
 
 
>  
> On Aug 19, 2017 at 3:41 PM,  <Ernie Luzar>  wrote:
>  
>  
>   >  On 8/19/2017 2:20 PM, Ernie Luzar wrote:  >>  Hello list;  >>   >>  Running 11.1  &  ipfilter with LAN behind the gateway server. LAN users  >>  are using their work PC's to access facebook during work.  >>   >>  What method would recommend to block all facebook access?  >>   >  Littlefield, Tyler wrote:  >  make your proxy just blacklist facebook.com and m.facebook.com?  >  Blocking it will just let them view it on their phones though, so  >  you're looking at a different issue altogether. Already blocking 15 facebook login ip address which can be added to or changes by FB anytime. Do not run a separate proxy on my server. Seems like over kill just to block a single domain name. Any other suggestions? On the company floor we have a cell phone signal jammer, so employees are forced to leave building to use their cell phones which make them show up on security video. Since we started that last January, people just turn off their cell phones at work.

 
>  
>  
>    
>  
>  I hope your company is outside the US.

 
>  
>  
>    
>  
>  https://www.fcc.gov/general/jamming-cell-phones-and-gps-equipment-against-law 

 
>  
>  _______________________________________________ [hidden email] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[hidden email]"
>  
     
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: How to block facebook access

Matthew Seaman-2
In reply to this post by Polytropon
On 20/08/2017 12:44, Polytropon wrote:
>>> On the IP level, you can maintain a list of IPs to block. And
>>> you could use resolver modification to do this for you, for
>>> example when the IP for a certain Facebook service or page
>>> changes, using the resolver its new IP will be added to the
>>> block list. With this approach, you can block using both
>>> numeric IPs and domain name strings (which of course resolve
>>> to IPs, too).

>> I am unfamiliar with the "resolver modification" you speak of.
>> Is this a function in ipfilter firewall?
>> Where and how is this done?

> It's a term I probably invented because I don't know the correct
> name - if it even has a specific name. :-)

The term you're probably looking for 'RPZ' (Response Policy Zone) --
this is an extension that allows you to override what your recursive
resolver will return for certain zones:

http://www.zytrax.com/books/dns/ch7/rpz.html

Effectively you can load a special zone file full of domains you want to
return other than the standard response for.  These zones can be AXFR'd
between a cluster of resolvers for ease of administration.

Implemented in bind -- this isn't an IETF specification, so may not be
available in other brands of nameserver, or if it is, may not
interoperate very well between different DNS software packages.

        Cheers,

        Matthew



signature.asc (949 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How to block facebook access

Ernie Luzar
In reply to this post by Polytropon
What do you think about this method?

Add entries into /etc/hosts file.

127.0.0.1    blacked www.facebook.com
127.0.0.1    blacked n.facebook.com
127.0.0.1    blacked facebook.com
127.0.0.1    blacked login.facebook.com


_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: How to block facebook access

Roland Smith
In reply to this post by Littlefield, Tyler
On Sat, Aug 19, 2017 at 04:41:20PM -0400, Ernie Luzar wrote:

>
> > On 8/19/2017 2:20 PM, Ernie Luzar wrote:
> >> Hello list;
> >>
> >> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users
> >> are using their work PC's to access facebook during work.
> >>
> >> What method would recommend to block all facebook access?
> >>
>
>  > Littlefield, Tyler wrote:
>  > make your proxy just blacklist facebook.com and m.facebook.com?
>  > Blocking it will just let them view it on their phones though, so
>  > you're looking at a different issue altogether.

> Already blocking 15 facebook login ip address which can be added to or
> changes by FB anytime. Do not run a separate proxy on my server. Seems
> like over kill just to block a single domain name. Any other suggestions?

On my own network I block facebook.com, tfbnw.net, fbcdn.net, fbcdn.com,
instagram.com and whatsapp.com on DNS level by returning NXDOMAIN.

I would hazard a guess that *most* facebook users wouldn't be technically
savvy enough to use an IP-adres.

Roland
--
R.F.Smith                                   http://rsmith.home.xs4all.nl/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 5753 3324 1661 B0FE 8D93  FCED 40F6 D5DC A38A 33E0 (keyID: A38A33E0)

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How to block facebook access

Shamim Shahriar
In reply to this post by Ernie Luzar
On 20/08/2017 14:57, Ernie Luzar wrote:

> What do you think about this method?
>
> Add entries into /etc/hosts file.
>
> 127.0.0.1    blacked www.facebook.com
> 127.0.0.1    blacked n.facebook.com
> 127.0.0.1    blacked facebook.com
> 127.0.0.1    blacked login.facebook.com
>
>
> _______________________________________________
Let us run a test.

You put those in your /etc/hosts, then browse to

https://translate.googleusercontent.com/translate_c?act=url&depth=1&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=fr&sp=nmt4&tl=en&u=https://www.facebook.com/&usg=ALkJrhgBj74P54T9TLbTH5lswBUic39_cg

Did it work?

Regards

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: How to block facebook access

Matthias Apitz
In reply to this post by Roland Smith
El día domingo, agosto 20, 2017 a las 05:36:21p. m. +0200, Roland Smith escribió:

> On my own network I block facebook.com, tfbnw.net, fbcdn.net, fbcdn.com,
> instagram.com and whatsapp.com on DNS level by returning NXDOMAIN.

Shouldn't the latter not be spelled as What's-Ape.com?
(sorry, could not resist)

> I would hazard a guess that *most* facebook users wouldn't be technically
> savvy enough to use an IP-adres.

True. To drive a car, one needs (at least in Europe) a driving license,
And a car has much less buttons than a computer. One should need
courses and a Internet license to use it.

        matthias

--
Matthias Apitz, ✉ [hidden email], ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How to block facebook access

John Levine
In reply to this post by Roland Smith
In article <[hidden email]> you write:
>I would hazard a guess that *most* facebook users wouldn't be technically
>savvy enough to use an IP-adres.

Even if they are, FB will redirect them to a name.  They'd either have
to use an external DNS cache or a VPN.  I suppose one could preemptively
block port 53 requests out to 8.8.8.8 and 8.8.4.4.

R's,
John
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: How to block facebook access

Ultima
Can also redirect requests to port 53 to your dns resolver. This is a
simple task on ipv4
but ipv6 is significantly more difficult to do so. Still haven't figured
out how to do this
properly on ipv6 but an easy solution is just blocking ipv6 dns requests.

On Sun, Aug 20, 2017 at 11:49 AM, John Levine <[hidden email]> wrote:

> In article <[hidden email]> you write:
> >I would hazard a guess that *most* facebook users wouldn't be technically
> >savvy enough to use an IP-adres.
>
> Even if they are, FB will redirect them to a name.  They'd either have
> to use an external DNS cache or a VPN.  I suppose one could preemptively
> block port 53 requests out to 8.8.8.8 and 8.8.4.4.
>
> R's,
> John
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-
> [hidden email]"
>
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: How to block facebook access

Frank Shute-2
In reply to this post by Littlefield, Tyler
On Sat, Aug 19, 2017 at 02:20:48PM -0400, Ernie Luzar wrote:
>
> Hello list;
>
> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users
> are using their work PC's to access facebook during work.
>
> What method would recommend to block all facebook access?
>
 
Hi Ernie,


My recommendation would be to set up unbound(8) on your 11.1 machine (or
setup another) and configure everything on the LAN to use it for name
service.

You can then shove some local records in unbound.conf(5), such as:

local-zone: "facebook.com" refuse
local-zone: "doubleclick.net" refuse
...
etc.

If you then do a lookup from the LAN:

$ host facebook.com
Host facebook.com not found: 5(REFUSED)

Firefox and Chrome seem to handle that gracefully.

To stop any muppets who decide to use alternative name service ie. Google,
OpenDNS etc. Configure ipfilter to drop any outgoing to 53 except from
your unbound machine.

Of course, other benefits are:

1). You can cutdown on all sorts of additional superfluous traffic which
improves all sorts of things: contention, less bandwidth & quota needed
etc.

2). Lookups are a lot quicker if they're cached on the LAN; which your
users will appreciate.

This all somewhat depends on how computer savvy your users are and how
locked down their PCs are.

If they know what they're doing then they will find away around it and
nothing short of nuking all of Facebook's DCs will stop it. Now there's
an idea....


Regards,

--

Frank



signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How to block facebook access

Adam Vande More
In reply to this post by Littlefield, Tyler
On Sat, Aug 19, 2017 at 1:20 PM, Ernie Luzar <[hidden email]> wrote:

> Hello list;
>
> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users are
> using their work PC's to access facebook during work.
>
> What method would recommend to block all facebook access?
>

Personally I would setup a transparent proxy eg squid and block it using
that.  DNS solutions are too fragile and something like squid can generate
comprehensive reports.

--
Adam
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: How to block facebook access

Frank Shute-2
In reply to this post by Frank Shute-2
On Tue, Aug 22, 2017 at 11:58:07PM +0100, Frank Shute wrote:

>
> On Sat, Aug 19, 2017 at 02:20:48PM -0400, Ernie Luzar wrote:
> >
> > Hello list;
> >
> > Running 11.1 & ipfilter with LAN behind the gateway server. LAN users
> > are using their work PC's to access facebook during work.
> >
> > What method would recommend to block all facebook access?
> >
>  
> Hi Ernie,
>
>
> My recommendation would be to set up unbound(8) on your 11.1 machine (or
> setup another) and configure everything on the LAN to use it for name
> service.
>
> You can then shove some local records in unbound.conf(5), such as:
>
> local-zone: "facebook.com" refuse
> local-zone: "doubleclick.net" refuse
> ...
> etc.
>
> If you then do a lookup from the LAN:
>
> $ host facebook.com
> Host facebook.com not found: 5(REFUSED)
>
> Firefox and Chrome seem to handle that gracefully.
>
> To stop any muppets who decide to use alternative name service ie. Google,
> OpenDNS etc. Configure ipfilter to drop any outgoing to 53 except from
> your unbound machine.
>
> Of course, other benefits are:
>
> 1). You can cutdown on all sorts of additional superfluous traffic which
> improves all sorts of things: contention, less bandwidth & quota needed
> etc.
>
> 2). Lookups are a lot quicker if they're cached on the LAN; which your
> users will appreciate.
>
> This all somewhat depends on how computer savvy your users are and how
> locked down their PCs are.
>
> If they know what they're doing then they will find away around it and
> nothing short of nuking all of Facebook's DCs will stop it. Now there's
> an idea....
Not long after I wrote the above, I came across: dns/void-zones-tools on
Freshports. It s/refuse/static/ and pulls in ~50,000 domains which are
associated with evil into unbound.conf. Read the blurb for it:

https://github.com/cyclaero/void-zones-tools

It takes it's data from half a dozen maintained lists and converts them
into the format unbound understands. You can also whitelist/blacklist
other domains/IPs.

I've only been running it for a couple of days with Adblock Plus turned
off and it seems to work fine.

Definitely a win if you maintain a LAN/VLANs with Windows clients,
especially Windows 10, as one of the lists it sucks in lists where Windows
10 builtin spywar...telemetry goes to.

My informants, who reside not a million miles from Redmond, tell me that
MS are doing "significant work" on improving their "customer experience"
of Windows 10 Telemetry.

They're not changing the code in anyway but rebranding it to:

"Visual Studio Telemetry .Net Agile"

You read it here first.

I can't tell you how proud it made me as a Brit to hear that nugget of
news. My tax pounds at work I thought, employing clueless and incompetent
Americans in a tax dodging American company's margeting department. Life
surely does not get a lot sweeter....

But then I remembered, we've got a Microsoftie on core@ and some others
slaving away in the code mines of Redmond with commit bits to src. Yes!
I was wrong, life does get even sweeter!


Regards,

--

Frank



signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How to block facebook access

Duane Whitty
In reply to this post by Littlefield, Tyler


On 17-08-19 03:20 PM, Ernie Luzar wrote:

> Hello list;
>
> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users
> are using their work PC's to access facebook during work.
>
> What method would recommend to block all facebook access?
>
> `
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[hidden email]"

Not sure if I missed this but did you say whether the users on you LAN
are tech savvy?  If they understand networking which of the above
solutions, other than white-listing, would prevent one of them from
setting up a web proxy at an address they control?  Maybe they might
even be really clever/motivated and take turns running a proxy at
different addresses :-)


Best Regards,
Duane

--
Duane Whitty
[hidden email]
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: How to block facebook access

Tim Daneliuk
On 08/25/2017 03:41 PM, Duane Whitty wrote:

>
>
> On 17-08-19 03:20 PM, Ernie Luzar wrote:
>> Hello list;
>>
>> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users
>> are using their work PC's to access facebook during work.
>>
>> What method would recommend to block all facebook access?
>>
>> `
>> _______________________________________________
>> [hidden email] mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
>> "[hidden email]"
>
> Not sure if I missed this but did you say whether the users on you LAN
> are tech savvy?  If they understand networking which of the above
> solutions, other than white-listing, would prevent one of them from
> setting up a web proxy at an address they control?  Maybe they might
> even be really clever/motivated and take turns running a proxy at
> different addresses :-)
A number of my corporate clients have very strict regulatory
requirements.  They have significant concerns about data leakage to
machines outside their control solve this problem on their own networks by:

- Assigning non-routable IPs to their hosts, whether server or desktop.
  To make these nonrepudiable, the smarter customers use MAC-based
  DHCP to keep the same non-routable associated with a specific host.

- Closing every outbound port at the NATing firewall except 80 and 443
  which they ...

- Run through a proxy server which also acts as a man-in-the-middle SSL
  intruder so they can look at the content of encrypted connection.

- Very tight policies about what part of the web anyone can even go to,
  typically controlled on a per LDAP or AD group basis.  Among things
  routinely blocked are entertainment sites like FaceBook and YouTube
  (but there are many others).

- Deep inspection of all outbound emails for signs of leakage.

- Shutting off and alarming any attempt to use the USB ports to plug
  things in ... even just for charging.

It works remarkably well.  What NO one can stop is:

- A user's own device and wireless bandwidth (unless you run a cell
  jammer) and/or user connectivity to a nearby WiFi hotspot.  But even
  in that case, there is still an airgap between the users' devices
  and the corporate machinery.

- A user taking photographs of a screen with their cell phone thereby
  removing data. This is essentially impossible to catch 100% of the
  time.  The clients that are in Financial Services therefore require
  all employees and consultants to agree to realtime access to their
  retirement and trading accounts to defend against insider trading.


That's all it takes :)

----------------------------------------------------------------------------
Tim Daneliuk     [hidden email]
PGP Key:         http://www.tundraware.com/PGP/

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: How to block facebook access

Duane Whitty


On 17-08-25 05:59 PM, Tim Daneliuk wrote:

> On 08/25/2017 03:41 PM, Duane Whitty wrote:
>>
>>
>> On 17-08-19 03:20 PM, Ernie Luzar wrote:
>>> Hello list;
>>>
>>> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users
>>> are using their work PC's to access facebook during work.
>>>
>>> What method would recommend to block all facebook access?
>>>
>>> `
>>> _______________________________________________
>>> [hidden email] mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to
>>> "[hidden email]"
>>
>> Not sure if I missed this but did you say whether the users on you LAN
>> are tech savvy?  If they understand networking which of the above
>> solutions, other than white-listing, would prevent one of them from
>> setting up a web proxy at an address they control?  Maybe they might
>> even be really clever/motivated and take turns running a proxy at
>> different addresses :-)
> A number of my corporate clients have very strict regulatory
> requirements.  They have significant concerns about data leakage to
> machines outside their control solve this problem on their own networks by:
>
> - Assigning non-routable IPs to their hosts, whether server or desktop.
>   To make these nonrepudiable, the smarter customers use MAC-based
>   DHCP to keep the same non-routable associated with a specific host.
>
> - Closing every outbound port at the NATing firewall except 80 and 443
>   which they ...
>
> - Run through a proxy server which also acts as a man-in-the-middle SSL
>   intruder so they can look at the content of encrypted connection.
>
> - Very tight policies about what part of the web anyone can even go to,
>   typically controlled on a per LDAP or AD group basis.  Among things
>   routinely blocked are entertainment sites like FaceBook and YouTube
>   (but there are many others).
>
> - Deep inspection of all outbound emails for signs of leakage.
>
> - Shutting off and alarming any attempt to use the USB ports to plug
>   things in ... even just for charging.
>
> It works remarkably well.  What NO one can stop is:
>
> - A user's own device and wireless bandwidth (unless you run a cell
>   jammer) and/or user connectivity to a nearby WiFi hotspot.  But even
>   in that case, there is still an airgap between the users' devices
>   and the corporate machinery.
>
> - A user taking photographs of a screen with their cell phone thereby
>   removing data. This is essentially impossible to catch 100% of the
>   time.  The clients that are in Financial Services therefore require
>   all employees and consultants to agree to realtime access to their
>   retirement and trading accounts to defend against insider trading.
>
>
> That's all it takes :)
>
> ----------------------------------------------------------------------------
> Tim Daneliuk     [hidden email]
> PGP Key:         http://www.tundraware.com/PGP/
>
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[hidden email]"
>
Yup, that sounds about right.  Don't forget audits as well to make sure
there are no "rogue" web/network engineers running their own proxies so
that they can get around these measures.

Best Regards,
Duane

--
Duane Whitty
[hidden email]
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: How to block facebook access

Odhiambo Washington
In reply to this post by Adam Vande More
On 23 August 2017 at 03:08, Adam Vande More <[hidden email]> wrote:

> On Sat, Aug 19, 2017 at 1:20 PM, Ernie Luzar <[hidden email]> wrote:
>
> > Hello list;
> >
> > Running 11.1 & ipfilter with LAN behind the gateway server. LAN users are
> > using their work PC's to access facebook during work.
> >
> > What method would recommend to block all facebook access?
> >
>
> Personally I would setup a transparent proxy eg squid and block it using
> that.  DNS solutions are too fragile and something like squid can generate
> comprehensive reports.
>
> --
> Adam
>

In line with the KISS (Keep It Simple Stupid) principle, I beg to differ
with you! Using Squid in transparent mode is not the easiest way to block
HTTPS traffic. Think about setting up ssl_bump and all those certificates
you have to import on all the computers so that the cert is 'trusted', and
the pain you have to go through with the different browsers. I have been
there and found it too much complex work.
I use dnsmasq+PF+BIND+DHCP (or unbound) to achieve this, but only that I
have to exempt some users from the blockage. If it was a blanket block, the
unbound REFUSE option is dandy - K.I.S.S - as detailed by Frank Shute.


--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: How to block facebook access

Adam Vande More
On Sat, Aug 26, 2017 at 5:19 AM, Odhiambo Washington <[hidden email]>
wrote:

> In line with the KISS (Keep It Simple Stupid) principle, I beg to differ
> with you! Using Squid in transparent mode is not the easiest way to block
> HTTPS traffic. Think about setting up ssl_bump and all those certificates
> you have to import on all the computers so that the cert is 'trusted', and
> the pain you have to go through with the different browsers. I have been
> there and found it too much complex work.
>

Configuration management.  KISS

--
Adam
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"