Hello, On Thu, 13 May 2021, Walter Dnes wrote: [..] > And maybe either stop logging Facebook, or else log iptables messages >to a separate file (how is that done?). The Facebook tracker messages >are generated by iptables rules... > >-A INPUT -s 31.13.24.0/21 -j FECESBOOK >-A INPUT -s 31.13.64.0/18 -j FECESBOOK [..] >-A OUTPUT -d 31.13.24.0/21 -j FECESBOOK >-A OUTPUT -d 31.13.64.0/18 -j FECESBOOK
FWIW: For one: why not filter the iptables messages into a seperate logfile? E.g. for syslog-ng (you'll need to add the filter to other filters/log, having them in the filters you can use those more intuitively): ==== filter f_iptables { facility(kern) and message("IN=") and message("OUT="); }; filter f_console { ... and not filter(f_iptables); } filter f_messages { ... and not filter(f_iptables); }; filter f_warn { ... and not filter(f_iptables); }; [..] log { source(src); source(chroots); filter(f_messages); destination(messages); }; # Firewall (iptables) messages in one file: destination firewall { file("/var/log/firewall" suppress(30)); }; log { source(src); source(chroots); filter(f_iptables); destination(firewall); }; ==== You might be logging more specifically, so you could add more specific filters. That's what those filters (and log-prefixes in iptables) are for after all :) Also add a matching logrotate entry: ==== /var/log/firewall { delaycompress missingok notifempty size +4096k sharedscripts postrotate /etc/init.d/syslog-ng reload > /dev/null 2>&1 || true endscript } ==== or some such as /etc/logrotate.d/firewall (or however you name you iptables-logfile. And second, how about setting up a local dnsmasq to send all fb-crap to NXDOMAIN on the DNS-level? ==== dnsmasq.conf or e.g. /etc/dnsmasq.d/blocklist.conf [1] ==== address=/fb.com/ address=/fb.me/ address=/facebook.net/ address=/facebook.de/ address=/facebook.fr/ address=/facebook.co.uk/ address=/facebook.com/ address=/fbcdn.net/ address=/instagram.com/ address=/instagram.de/ address=/whatsapp.de/ address=/whatsapp.com/ address=/whatsapp.net/ ==== That has the effect that all (sub-)domains with those names give NXDOMAIN, i.e. are non-existant. Compare to: $ nslookup there.is.no.such.domain.invalid Depending on what sites you visit, you might add more domains like e.g. facebook.ca, facebook.mx, facebook.es or whatever fb-domains sites that you visit include... Just as ideas, -dnh [1] you'll need a matching conf-dir or conf-file directive, preferably at the end of the main /etc/dnsmasq.conf then, I use: ==== conf-dir=/etc/dnsmasq.d,*.conf ==== which includes all *.conf files from /etc/dnsmasq.d/ (and ignores other files there like *.conf~ or Makefile or whatnot, so you can be creative and e.g. generate your blocklist from a simple list of domains ;) E.g.: ==== /etc/dnsmasq.d/Makefile all: blocklist.conf blocklist.conf: blocklist.conf.in sort -u $< | sed 's@\(.*\)@address=/&/@' > $@ ==== You get the ideas ;) (and if not: ask!) -- Of course. Anything with more than 2 buttons is too complex. This includes things with 2 or less buttons. This may include clothing. -- Satya