Re: Set a deny rule for a URL in IPFW by its domain name
Just use a dns override for the domains you want to block. Regards, Nathan Sent from my iPhone > On 1 Dec 2015, at 1:52 AM, Julian Elischerwrote: > >> On 30/11/2015 8:02 PM, Ian Smith wrote: >> On Mon, 30 Nov 2015 16:48:49 +0530, Kulamani Sethi wrote: >> > Hi all, >> >I am using ipfw3, can i block a URL by its domain name? When i am >> > setting rules in IPFW by its domain name, it simple set rule by its >> > corresponding IP. >> > Here example how i set >> > >> > C:>ipfw add 1002 deny log ip from www.google.com to any >> > >> > As i know most of the websites uses dynamic IP, it simple changes there IP >> > periodically. This rule i set for google is worked for few moment, then it >> > allow the packets to my terminal. > the only way to do this is to make a daemon similar to what I wrote for cisco > many years ago. > it acts as a DNS 'man-in-the-middle' and compares all DNS responses against > black/white lists. > WHen it gets a hit it: > 1/ returns a suitably altered answer. > 2/ adds the address found to a black or white table in ipfw. > > Since Secure DNS is getting more popular, it would probably make more sense > these days to make unbound or bind > feed their work through some filter module to do the same thing. > > ___ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org" ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: Set a deny rule for a URL in IPFW by its domain name
On 30/11/2015 8:02 PM, Ian Smith wrote: On Mon, 30 Nov 2015 16:48:49 +0530, Kulamani Sethi wrote: > Hi all, >I am using ipfw3, can i block a URL by its domain name? When i am > setting rules in IPFW by its domain name, it simple set rule by its > corresponding IP. > Here example how i set > > C:>ipfw add 1002 deny log ip from www.google.com to any > > As i know most of the websites uses dynamic IP, it simple changes there IP > periodically. This rule i set for google is worked for few moment, then it > allow the packets to my terminal. the only way to do this is to make a daemon similar to what I wrote for cisco many years ago. it acts as a DNS 'man-in-the-middle' and compares all DNS responses against black/white lists. WHen it gets a hit it: 1/ returns a suitably altered answer. 2/ adds the address found to a black or white table in ipfw. Since Secure DNS is getting more popular, it would probably make more sense these days to make unbound or bind feed their work through some filter module to do the same thing. ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: Set a deny rule for a URL in IPFW by its domain name
On Mon, 30 Nov 2015 16:48:49 +0530, Kulamani Sethi wrote: > Hi all, >I am using ipfw3, can i block a URL by its domain name? When i am > setting rules in IPFW by its domain name, it simple set rule by its > corresponding IP. > Here example how i set > > C:>ipfw add 1002 deny log ip from www.google.com to any > > As i know most of the websites uses dynamic IP, it simple changes there IP > periodically. This rule i set for google is worked for few moment, then it > allow the packets to my terminal. % dig www.google.com ; <<>> DiG 9.6.-ESV-R3 <<>> www.google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16574 ;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.google.com.IN A ;; ANSWER SECTION: www.google.com. 43 IN A 220.233.196.223 www.google.com. 43 IN A 220.233.196.219 www.google.com. 43 IN A 220.233.196.249 www.google.com. 43 IN A 220.233.196.234 www.google.com. 43 IN A 220.233.196.229 www.google.com. 43 IN A 220.233.196.245 www.google.com. 43 IN A 220.233.196.212 www.google.com. 43 IN A 220.233.196.251 www.google.com. 43 IN A 220.233.196.216 www.google.com. 43 IN A 220.233.196.227 www.google.com. 43 IN A 220.233.196.238 www.google.com. 43 IN A 220.233.196.241 www.google.com. 43 IN A 220.233.196.240 www.google.com. 43 IN A 220.233.196.230 www.google.com. 43 IN A 220.233.196.208 www.google.com. 43 IN A 220.233.196.218 ;; Query time: 31 msec ;; SERVER: 220.233.0.4#53(220.233.0.4) ;; WHEN: Mon Nov 30 22:34:28 2015 ;; MSG SIZE rcvd: 288 .. and that's just a list of www.google.com addresses at/via my ISP. it's not so much - in this case - of changing addresses periodically (where periodically for things like file and music sharing sites may be as often as once per minute) but also of having many different addresses provided in different parts of the world, as above. Your own provider might also provide fast proxies to google, youtube, netflix, facebook, twitter .. or most/all large content providers. So no, if it doesn't have a fixed IP address, ipfw rules won't work. You could add addresses to a table, easy to update as you go without needing to reload your ipfw rules, and use something like: # ipfw add deny log ip4 from table\(88\) to any but if you hope to block sites like google, expect lots of work :) cheers, Ian ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"