Am Sat, 19 Oct 2013 01:02:58 +0200 schrieb Marios Makassikis <mmakassi...@gmail.com>:
Hi Marios! [ ... ] > > > > Anyway: I think I finally managed to block all their IPs via PF and > > on this laptop I now feel a little less 'observed'. [Yes, I know - > > this is just today's snapshot of IPs!] > > > > Did you block individual IPs or complete subnets ? I used "whois -h whois.radb.net '!gAS32934'" to collect the subnets first and put those into /etc/facebook. My pf.conf has this: ~~~~~~~~~~ QUOTE ~~~~~~~~~ table <facebook> persist file "/etc/facebook" block log quick on $ExtIF from <facebook> to any block log quick on $ExtIF from any to <facebook> ~~~~~~~~ QUOTE END ~~~~~~~ logging is just for some time to investigate if this makes sense at all... Performing DNS > resolution on facebook.com and fbcdn.net yields the 173.252.64.0/18 > subnet. Blocking it is one additional PF rule or just updating a > table of already blocked subnets / IPs. > > > My question is on the squid-server I have running at home: What > > would make more sense - blocking facebook.com via pf.conf alike or > > are there reasons to use squid's ACL instead? Performance? Being > > ultra-paranoid and implementing both (or even additionally the > > hosts-file-block?)? From my understanding squid should not be able > > to block https-traffic as it is encrypted - or am I wrong here? > > > > Curious if there is a particular (Open)BSD solution or simply how > > you 'guys and gals' would do it. > > > Having squid running on your laptop just to block facebook is way > overkill IMHO. No, no: The squid is running on a regular server at home securing the PCs and the laptop once I am around. > > Rather than populating (polluting?) your hosts file, I think using > adsuck[1] would be > simpler get you similar results, especially if you don't want to use > an external service > such as OpenDNS. Actually I startet with adsuck when I noticed that facebook manages to circumvent entries in /etc/hosts. I might have done s.th. wrong but on my laptop any lookup for facebook.com got redirected to 'https' and those lines in /var/adsuck/hosts.small had no effect: # [Facebook] 127.0.0.1 fbstatic-a.akamaihd.net 127.0.0.1 fbcdn-dragon-a.akamaihd.net 127.0.0.1 facebook.com 127.0.0.1 www.facebook.com 127.0.0.1 facebook.de 127.0.0.1 de-de.facebook.com > > It is available as a OpenBSD package, and it's easily configured to > block more than > just facebook. This is what I had expected. > > Marios > > > [1] https://opensource.conformal.com/wiki/adsuck > Thanks a lot for your time to reply! Regards, STEFAN
