On 10/18/13 18:27, Stefan Wollny wrote:
Hi there,
having a personal dislike of Facebook (and the MeeToo-systems alike)
for their impertinent sniffing for private data I tried on my laptop to
block facebook.com via hosts-file. Interestingly this failed: Calling
"http://www.facebook.com"; always resulted in a lookup for
"httpS://www.facebook.com" and the respective site showed up in the
browser (tried firefox and xombrero).
Well: Beside excepting the fact that those facebook engineers did a
fine job circumventing the entrys in /etc/hosts I felt immediatly
insecure: The reports on this company's attitude towards even
non-customers privacy are legendary. Their respective track record
earns them the honorable title of "NSA's fittest supporter"...
Anyway: I think I finally managed to block all their IPs via PF and on
this laptop I now feel a little less 'observed'. [Yes, I know - this is
just today's snapshot of IPs!]
My question is on the squid-server I have running at home: What
would make more sense - blocking facebook.com via pf.conf alike or are
there reasons to use squid's ACL instead? Performance? Being
ultra-paranoid and implementing both (or even additionally the
hosts-file-block?)? From my understanding squid should not be able to
block https-traffic as it is encrypted - or am I wrong here?
Curious if there is a particular (Open)BSD solution or simply how you
'guys and gals' would do it.
Thank you for sharing your thoughts.
Cheers,
STEFAN
If you're handling DHCP for all of the traffic for your site, why not
just set up a dns server, point your dhcp clients to this DNS server and
create an authoritative zone for facebook.com that points to somewhere
other than facebook?
That's traditionally how I block traffic from our network from our users
trying to go to places other than where I wish them to.
The more savvy users could get around this altering their dns servers
manually which you can stop blocking DNS traffic out of your network,
this has the added bonus of cutting down bandwidth out of your network.
If they get really sneaky and try to put host entries in for facebook,
you can do as you've been doing, blocking IPs, and maybe creat a script
that does an hourly lookup of all facebook IPs and having it update your
pf config and then reloading pf.
Aaron
