1 |
Hello, |
2 |
|
3 |
On Thu, 13 May 2021, Walter Dnes wrote: |
4 |
[..] |
5 |
> And maybe either stop logging Facebook, or else log iptables messages |
6 |
>to a separate file (how is that done?). The Facebook tracker messages |
7 |
>are generated by iptables rules... |
8 |
> |
9 |
>-A INPUT -s 31.13.24.0/21 -j FECESBOOK |
10 |
>-A INPUT -s 31.13.64.0/18 -j FECESBOOK |
11 |
[..] |
12 |
>-A OUTPUT -d 31.13.24.0/21 -j FECESBOOK |
13 |
>-A OUTPUT -d 31.13.64.0/18 -j FECESBOOK |
14 |
|
15 |
FWIW: |
16 |
|
17 |
For one: why not filter the iptables messages into a seperate logfile? |
18 |
|
19 |
E.g. for syslog-ng (you'll need to add the filter to other |
20 |
filters/log, having them in the filters you can use those |
21 |
more intuitively): |
22 |
|
23 |
==== |
24 |
filter f_iptables { facility(kern) and message("IN=") and message("OUT="); }; |
25 |
filter f_console { ... and not filter(f_iptables); } |
26 |
filter f_messages { ... and not filter(f_iptables); }; |
27 |
filter f_warn { ... and not filter(f_iptables); }; |
28 |
[..] |
29 |
log { source(src); source(chroots); filter(f_messages); destination(messages); }; |
30 |
|
31 |
# Firewall (iptables) messages in one file: |
32 |
destination firewall { file("/var/log/firewall" suppress(30)); }; |
33 |
log { source(src); source(chroots); filter(f_iptables); destination(firewall); }; |
34 |
==== |
35 |
|
36 |
You might be logging more specifically, so you could add more specific |
37 |
filters. That's what those filters (and log-prefixes in iptables) are |
38 |
for after all :) |
39 |
|
40 |
Also add a matching logrotate entry: |
41 |
|
42 |
==== |
43 |
/var/log/firewall { |
44 |
delaycompress |
45 |
missingok |
46 |
notifempty |
47 |
size +4096k |
48 |
sharedscripts |
49 |
postrotate |
50 |
/etc/init.d/syslog-ng reload > /dev/null 2>&1 || true |
51 |
endscript |
52 |
} |
53 |
==== |
54 |
|
55 |
or some such as /etc/logrotate.d/firewall (or however you name you |
56 |
iptables-logfile. |
57 |
|
58 |
And second, how about setting up a local dnsmasq to send all fb-crap |
59 |
to NXDOMAIN on the DNS-level? |
60 |
|
61 |
==== dnsmasq.conf or e.g. /etc/dnsmasq.d/blocklist.conf [1] ==== |
62 |
address=/fb.com/ |
63 |
address=/fb.me/ |
64 |
address=/facebook.net/ |
65 |
address=/facebook.de/ |
66 |
address=/facebook.fr/ |
67 |
address=/facebook.co.uk/ |
68 |
address=/facebook.com/ |
69 |
address=/fbcdn.net/ |
70 |
address=/instagram.com/ |
71 |
address=/instagram.de/ |
72 |
address=/whatsapp.de/ |
73 |
address=/whatsapp.com/ |
74 |
address=/whatsapp.net/ |
75 |
==== |
76 |
|
77 |
That has the effect that all (sub-)domains with those names give |
78 |
NXDOMAIN, i.e. are non-existant. Compare to: |
79 |
|
80 |
$ nslookup there.is.no.such.domain.invalid |
81 |
|
82 |
Depending on what sites you visit, you might add more domains like |
83 |
e.g. facebook.ca, facebook.mx, facebook.es or whatever fb-domains |
84 |
sites that you visit include... |
85 |
|
86 |
Just as ideas, |
87 |
-dnh |
88 |
|
89 |
[1] you'll need a matching conf-dir or conf-file directive, preferably |
90 |
at the end of the main /etc/dnsmasq.conf then, I use: |
91 |
==== |
92 |
conf-dir=/etc/dnsmasq.d,*.conf |
93 |
==== |
94 |
which includes all *.conf files from /etc/dnsmasq.d/ (and ignores |
95 |
other files there like *.conf~ or Makefile or whatnot, so you can |
96 |
be creative and e.g. generate your blocklist from a simple list of |
97 |
domains ;) E.g.: |
98 |
==== /etc/dnsmasq.d/Makefile |
99 |
all: blocklist.conf |
100 |
blocklist.conf: blocklist.conf.in |
101 |
sort -u $< | sed 's@\(.*\)@address=/&/@' > $@ |
102 |
==== |
103 |
|
104 |
You get the ideas ;) (and if not: ask!) |
105 |
|
106 |
-- |
107 |
Of course. Anything with more than 2 buttons is too complex. This includes |
108 |
things with 2 or less buttons. This may include clothing. -- Satya |