1 |
On 16/12/2014 06:02, meino.cramer@×××.de wrote: |
2 |
> |
3 |
> |
4 |
> Alan McKinnon <alan.mckinnon@×××××.com> [14-12-16 03:43]: |
5 |
>> On 15/12/2014 18:47, meino.cramer@×××.de wrote: |
6 |
>>> Hi, |
7 |
>>> |
8 |
>>> this question is not related to a fully fledged, |
9 |
>>> big local area network with DMZs and such. |
10 |
>>> |
11 |
>>> Even the word "firewall" seems to be a little too |
12 |
>>> "huge and mighty" in this context to me. |
13 |
>>> |
14 |
>>> "The network" consists of a PC, which is connected |
15 |
>>> to a FritzBox (cable, no Wifi/WLAN), which connects |
16 |
>>> to the ISP (internet) and (same adress range) to a |
17 |
>>> embedded system (eth1) |
18 |
>>> |
19 |
>>> There are two additional embedded systems, both on |
20 |
>>> a separate interface (eth over usb: usb0 & usb1). |
21 |
>>> |
22 |
>>> I want to block (DROP or REJECT) the access to certain |
23 |
>>> sites (the "noise" which is produced mostly by sites, |
24 |
>>> which all exclusively "only want my best": ads, trackers, analysts |
25 |
>>> and so on...) |
26 |
>>> |
27 |
>>> I tried different tools: fwbuilder, which locks up either itsself |
28 |
>>> or my rulesset...I had to reboot and Shorewall, which definitely |
29 |
>>> is a great tool....a little too great tool and much more capable |
30 |
>>> as I am... ;) |
31 |
>>> |
32 |
>>> I am sure that the problems are mostly not the problems of the |
33 |
>>> tools but mine. |
34 |
>>> |
35 |
>>> Is there any simple straight forward tool to just block accesses |
36 |
>>> to certain sites? |
37 |
>> |
38 |
>> |
39 |
>> |
40 |
>> to do it network-wide: squid |
41 |
>> |
42 |
>> to do it on a per-pc per-browser basis: there's a large variety of |
43 |
>> firefox plugins to chose from that will block this and allow that. It |
44 |
>> seems to me this is the better approach as you want to stop your browser |
45 |
>> chatting with sites who only have your best interest at heart :-) |
46 |
>> |
47 |
>> |
48 |
>> Either way, the list of black and white lists gets very big very quick, |
49 |
>> so chose your tool carefully. Try a bunch and pick one that makes sense |
50 |
>> to you, bonus points if it comes with a community-supported blacklist |
51 |
>> you can drop in, maintained by people whose POV matches your own. |
52 |
>> |
53 |
>> You don't want a classic firewall for this; firewalls are mostly built |
54 |
>> to block based on address and port, this is not how you solve your problem |
55 |
>> |
56 |
>> -- |
57 |
>> Alan McKinnon |
58 |
>> alan.mckinnon@×××××.com |
59 |
>> |
60 |
> |
61 |
> Hi Alan, |
62 |
> |
63 |
> thanks for reply! :) |
64 |
> |
65 |
> actually the thing is: There is a plugin called "NoScript" which |
66 |
> constantly accesses secure.informaction.com, which is the author |
67 |
> of this plugin. |
68 |
> I tried a lot to block that access from inside firefox but did |
69 |
> not find a way to do so (read: _I_ did not find... ;) |
70 |
> |
71 |
> If you know a plugin for firefox which is able to block accesses |
72 |
> from all other plugins to certain sites of the internet I would |
73 |
> be happy to check that out. |
74 |
|
75 |
I don't know of a plugin that specifically does that; I do know that |
76 |
there are Firefox plugins for just about anything you could imagine, |
77 |
that's why I made the suggestion |
78 |
|
79 |
|
80 |
> |
81 |
> I tried to block the accesses via iptable rules which DROP/REJECT |
82 |
> the name and the IP-address of that site...no chance. |
83 |
> |
84 |
> The IP has not changed of that site... |
85 |
> |
86 |
> Wireshark still reports traffic to and from that site and following |
87 |
> the TCP stream with wireshark shows, that the traffic has encrypted |
88 |
> contents. |
89 |
|
90 |
That indicates something wrong with your iptables rules. |
91 |
|
92 |
iptables works at the lowest level of the network stack (very little if |
93 |
anything can bypass it) and wireshark works by reading the network |
94 |
interface directly in promiscuous mode. The traffic you see probably |
95 |
doesn't have a iptables rule to catch it. There are 4 addresses for that |
96 |
domain name, did you incluce them all in the rule? |
97 |
|
98 |
# dig secure.informaction.com +short |
99 |
82.103.140.42 |
100 |
82.103.140.40 |
101 |
69.195.141.179 |
102 |
69.195.141.178 |
103 |
|
104 |
|
105 |
|
106 |
> |
107 |
> The other access, which origin I haven't located exactly yet (its |
108 |
> origin is in firefox (a plugin I think), is to |
109 |
> s3-1.amazonaws.com. |
110 |
> I also want to block this. |
111 |
> |
112 |
> Please what is the plugin of the large variety of plugins, which is |
113 |
> able to block access of all other plugins to customer defined sites? |
114 |
|
115 |
As I said above, I don't track plugins too closely, so I don't know. |
116 |
But someone else on this list will, lots of knowledgeable people around |
117 |
here :-) |
118 |
|
119 |
|
120 |
|
121 |
|
122 |
-- |
123 |
Alan McKinnon |
124 |
alan.mckinnon@×××××.com |