Re: Set a deny rule for a URL in IPFW by its domain name

2015-11-30 Thread Nathan Aherne 
Just use a dns override for the domains you want to block.

Regards,
Nathan
Sent from my iPhone

> On 1 Dec 2015, at 1:52 AM, Julian Elischer  wrote:
> 
>> On 30/11/2015 8:02 PM, Ian Smith wrote:
>> On Mon, 30 Nov 2015 16:48:49 +0530, Kulamani Sethi wrote:
>>  > Hi all,
>>  >I am using ipfw3, can i block a URL by its domain name? When i am
>>  > setting rules in IPFW by its domain name, it simple set rule by its
>>  > corresponding IP.
>>  > Here example how i set
>>  >
>>  > C:>ipfw add 1002 deny log ip  from www.google.com to any
>>  >
>>  > As i know most of the websites uses dynamic IP, it simple changes there IP
>>  > periodically. This rule i set for google is worked for few moment, then it
>>  > allow the packets to my terminal.
> the only way to do this is to make a daemon similar to what I wrote for cisco 
> many years ago.
> it acts as a DNS 'man-in-the-middle' and compares all DNS responses against 
> black/white lists.
> WHen it gets a hit it:
> 1/ returns a suitably altered answer.
> 2/ adds the address found to a black or white table in ipfw.
> 
> Since Secure DNS is getting more popular, it would probably make more sense 
> these days to make unbound or bind
> feed their work through some filter module to do the same thing.
> 
> ___
> freebsd-ipfw@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: Set a deny rule for a URL in IPFW by its domain name

2015-11-30 Thread Julian Elischer 

On 30/11/2015 8:02 PM, Ian Smith wrote:

On Mon, 30 Nov 2015 16:48:49 +0530, Kulamani Sethi wrote:
  > Hi all,
  >I am using ipfw3, can i block a URL by its domain name? When i am
  > setting rules in IPFW by its domain name, it simple set rule by its
  > corresponding IP.
  > Here example how i set
  >
  > C:>ipfw add 1002 deny log ip  from www.google.com to any
  >
  > As i know most of the websites uses dynamic IP, it simple changes there IP
  > periodically. This rule i set for google is worked for few moment, then it
  > allow the packets to my terminal.

the only way to do this is to make a daemon similar to what I wrote 
for cisco many years ago.
it acts as a DNS 'man-in-the-middle' and compares all DNS responses 
against black/white lists.

WHen it gets a hit it:
1/ returns a suitably altered answer.
2/ adds the address found to a black or white table in ipfw.

Since Secure DNS is getting more popular, it would probably make more 
sense these days to make unbound or bind

feed their work through some filter module to do the same thing.

___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: Set a deny rule for a URL in IPFW by its domain name

2015-11-30 Thread Ian Smith 
On Mon, 30 Nov 2015 16:48:49 +0530, Kulamani Sethi wrote:
 > Hi all,
 >I am using ipfw3, can i block a URL by its domain name? When i am
 > setting rules in IPFW by its domain name, it simple set rule by its
 > corresponding IP.
 > Here example how i set
 > 
 > C:>ipfw add 1002 deny log ip  from www.google.com to any
 > 
 > As i know most of the websites uses dynamic IP, it simple changes there IP
 > periodically. This rule i set for google is worked for few moment, then it
 > allow the packets to my terminal.

% dig www.google.com

; <<>> DiG 9.6.-ESV-R3 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16574
;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.IN  A

;; ANSWER SECTION:
www.google.com. 43  IN  A   220.233.196.223
www.google.com. 43  IN  A   220.233.196.219
www.google.com. 43  IN  A   220.233.196.249
www.google.com. 43  IN  A   220.233.196.234
www.google.com. 43  IN  A   220.233.196.229
www.google.com. 43  IN  A   220.233.196.245
www.google.com. 43  IN  A   220.233.196.212
www.google.com. 43  IN  A   220.233.196.251
www.google.com. 43  IN  A   220.233.196.216
www.google.com. 43  IN  A   220.233.196.227
www.google.com. 43  IN  A   220.233.196.238
www.google.com. 43  IN  A   220.233.196.241
www.google.com. 43  IN  A   220.233.196.240
www.google.com. 43  IN  A   220.233.196.230
www.google.com. 43  IN  A   220.233.196.208
www.google.com. 43  IN  A   220.233.196.218

;; Query time: 31 msec
;; SERVER: 220.233.0.4#53(220.233.0.4)
;; WHEN: Mon Nov 30 22:34:28 2015
;; MSG SIZE  rcvd: 288

.. and that's just a list of www.google.com addresses at/via my ISP.

it's not so much - in this case - of changing addresses periodically 
(where periodically for things like file and music sharing sites may be 
as often as once per minute) but also of having many different addresses 
provided in different parts of the world, as above.

Your own provider might also provide fast proxies to google, youtube, 
netflix, facebook, twitter .. or most/all large content providers.

So no, if it doesn't have a fixed IP address, ipfw rules won't work.

You could add addresses to a table, easy to update as you go without 
needing to reload your ipfw rules, and use something like:

 # ipfw add deny log ip4 from table\(88\) to any

but if you hope to block sites like google, expect lots of work :)

cheers, Ian
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"