Am Fri, 18 Oct 2013 19:33:11 -0400 schrieb mia <kmiy...@comcast.net>: [ ... ] > > > If you're handling DHCP for all of the traffic for your site, why not > just set up a dns server, point your dhcp clients to this DNS server > and create an authoritative zone for facebook.com that points to > somewhere other than facebook? > > That's traditionally how I block traffic from our network from our > users trying to go to places other than where I wish them to. > > The more savvy users could get around this altering their dns servers > manually which you can stop blocking DNS traffic out of your network, > this has the added bonus of cutting down bandwidth out of your > network. > > If they get really sneaky and try to put host entries in for > facebook, you can do as you've been doing, blocking IPs, and maybe > creat a script that does an hourly lookup of all facebook IPs and > having it update your pf config and then reloading pf. > > Aaron
Hi Aaron, this might be an other way to go. I haven't thought about this yet. The squid-server has enough power to handle this as well (or I reactivate an old laptop). There are at present only two other users left who are not experienced enough to fiddle with the DNS (at least not yet ;-) ). And other family members who show up occasionally get FB-access via WLAN on their smartphones - my prime issue are stealth-connects to FB I try to prevent. If a guest just can't live without FB I'd rather pull another cable to the router and have effectively a 'demilitarized zone' for them than expose the rest of the family to the wild. Anyway: Thank you for sharing your ideas! Regards, STEFAN
