1 |
On 17:54, Tue, Dec 16, 2014 thegeezer <thegeezer@×××××××××.net> wrote: |
2 |
|
3 |
On 15/12/14 20:39, Alan McKinnon wrote: |
4 |
> On 15/12/2014 18:47, meino.cramer@×××.de wrote: |
5 |
>> Hi, |
6 |
>> |
7 |
>> this question is not related to a fully fledged, |
8 |
>> big local area network with DMZs and such. |
9 |
>> |
10 |
>> Even the word "firewall" seems to be a little too |
11 |
>> "huge and mighty" in this context to me. |
12 |
>> |
13 |
>> "The network" consists of a PC, which is connected |
14 |
>> to a FritzBox (cable, no Wifi/WLAN), which connects |
15 |
>> to the ISP (internet) and (same adress range) to a |
16 |
>> embedded system (eth1) |
17 |
>> |
18 |
>> There are two additional embedded systems, both on |
19 |
>> a separate interface (eth over usb: usb0 & usb1). |
20 |
>> |
21 |
>> I want to block (DROP or REJECT) the access to certain |
22 |
>> sites (the "noise" which is produced mostly by sites, |
23 |
>> which all exclusively "only want my best": ads, trackers, analysts |
24 |
>> and so on...) |
25 |
>> |
26 |
>> I tried different tools: fwbuilder, which locks up either itsself |
27 |
>> or my rulesset...I had to reboot and Shorewall, which definitely |
28 |
>> is a great tool....a little too great tool and much more capable |
29 |
>> as I am... ;) |
30 |
>> |
31 |
>> I am sure that the problems are mostly not the problems of the |
32 |
>> tools but mine. |
33 |
>> |
34 |
>> Is there any simple straight forward tool to just block accesses |
35 |
>> to certain sites? |
36 |
> |
37 |
> |
38 |
> to do it network-wide: squid |
39 |
|
40 |
+1 |
41 |
and not in transparent mode either -- if you have a proxy server set |
42 |
then https traffic is filtered by domain name as it is part of the proxy |
43 |
connection request. |
44 |
squid + squidGuard / dansguardian is the way forward. |
45 |
for examle, in my "advertisers/tracking" database there are some 12 |
46 |
thousand domains listed. good luck adding those individually to iptables. |
47 |
|
48 |
the only other way to do things super paranoidly is by whitelisting |
49 |
i.e. on the router just keep adding ip and port to whitelist table for |
50 |
those you _want_ |
51 |
iptables -N whitelist |
52 |
iptables -A whitelist -d 8.8.8.8 -m udp --dport 53 -j ACCEPT |
53 |
|
54 |
iptables -A FORWARD -i LAN -o WAN -j whitelist |
55 |
iptables -A FORWARD -J REJECT |
56 |
|
57 |
this takes longer to "start" but is easier to maintain, as facebook for |
58 |
example are constantly buying ip ranges and adding them to their global |
59 |
domination, so you start by thinking you have blocked all 100 facebook |
60 |
ip addresses and then a month or two later discover they have another |
61 |
200 you need to block |
62 |
> |
63 |
> to do it on a per-pc per-browser basis: there's a large variety of |
64 |
> firefox plugins to chose from that will block this and allow that. It |
65 |
> seems to me this is the better approach as you want to stop your browser |
66 |
> chatting with sites who only have your best interest at heart :-) |
67 |
> |
68 |
> |
69 |
> Either way, the list of black and white lists gets very big very quick, |
70 |
> so chose your tool carefully. Try a bunch and pick one that makes sense |
71 |
> to you, bonus points if it comes with a community-supported blacklist |
72 |
> you can drop in, maintained by people whose POV matches your own. |
73 |
> |
74 |
> You don't want a classic firewall for this; firewalls are mostly built |
75 |
> to block based on address and port, this is not how you solve your problem |
76 |
> |
77 |
|
78 |
You can automate the process by using 'dig' and 'ipset'. |
79 |
|
80 |
Create an ipset named "Fbook" of type hash:ip, then every 5 minutes run a |
81 |
script that does a lookup for facebook.com and add the found IP to the |
82 |
Fbook ipset. |
83 |
|
84 |
|
85 |
Rgds, |
86 |
-- |