Hello,
On Thu, 13 May 2021, Walter Dnes wrote:
[..]
> And maybe either stop logging Facebook, or else log iptables messages
>to a separate file (how is that done?). The Facebook tracker messages
>are generated by iptables rules...
>
>-A INPUT -s 31.13.24.0/21 -j FECESBOOK
>-A INPUT -s 31.13.64.0/18 -j FECESBOOK
[..]
>-A OUTPUT -d 31.13.24.0/21 -j FECESBOOK
>-A OUTPUT -d 31.13.64.0/18 -j FECESBOOK
FWIW:
For one: why not filter the iptables messages into a seperate logfile?
E.g. for syslog-ng (you'll need to add the filter to other
filters/log, having them in the filters you can use those
more intuitively):
====
filter f_iptables { facility(kern) and message("IN=") and message("OUT="); };
filter f_console { ... and not filter(f_iptables); }
filter f_messages { ... and not filter(f_iptables); };
filter f_warn { ... and not filter(f_iptables); };
[..]
log { source(src); source(chroots); filter(f_messages); destination(messages);
};
# Firewall (iptables) messages in one file:
destination firewall { file("/var/log/firewall" suppress(30)); };
log { source(src); source(chroots); filter(f_iptables); destination(firewall);
};
====
You might be logging more specifically, so you could add more specific
filters. That's what those filters (and log-prefixes in iptables) are
for after all :)
Also add a matching logrotate entry:
====
/var/log/firewall {
delaycompress
missingok
notifempty
size +4096k
sharedscripts
postrotate
/etc/init.d/syslog-ng reload > /dev/null 2>&1 || true
endscript
}
====
or some such as /etc/logrotate.d/firewall (or however you name you
iptables-logfile.
And second, how about setting up a local dnsmasq to send all fb-crap
to NXDOMAIN on the DNS-level?
==== dnsmasq.conf or e.g. /etc/dnsmasq.d/blocklist.conf [1] ====
address=/fb.com/
address=/fb.me/
address=/facebook.net/
address=/facebook.de/
address=/facebook.fr/
address=/facebook.co.uk/
address=/facebook.com/
address=/fbcdn.net/
address=/instagram.com/
address=/instagram.de/
address=/whatsapp.de/
address=/whatsapp.com/
address=/whatsapp.net/
====
That has the effect that all (sub-)domains with those names give
NXDOMAIN, i.e. are non-existant. Compare to:
$ nslookup there.is.no.such.domain.invalid
Depending on what sites you visit, you might add more domains like
e.g. facebook.ca, facebook.mx, facebook.es or whatever fb-domains
sites that you visit include...
Just as ideas,
-dnh
[1] you'll need a matching conf-dir or conf-file directive, preferably
at the end of the main /etc/dnsmasq.conf then, I use:
====
conf-dir=/etc/dnsmasq.d,*.conf
====
which includes all *.conf files from /etc/dnsmasq.d/ (and ignores
other files there like *.conf~ or Makefile or whatnot, so you can
be creative and e.g. generate your blocklist from a simple list of
domains ;) E.g.:
==== /etc/dnsmasq.d/Makefile
all: blocklist.conf
blocklist.conf: blocklist.conf.in
sort -u $< | sed 's@\(.*\)@address=/&/@' > $@
====
You get the ideas ;) (and if not: ask!)
--
Of course. Anything with more than 2 buttons is too complex. This includes
things with 2 or less buttons. This may include clothing. -- Satya
