1 |
On Fri, Jan 4, 2013 at 3:17 PM, Walter Dnes <waltdnes@××××××××.org> wrote: |
2 |
> On Wed, Jan 02, 2013 at 11:32:58PM -0500, Michael Orlitzky wrote |
3 |
>> On 12/30/2012 10:21 PM, Walter Dnes wrote: |
4 |
>> > [0:0] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6 |
5 |
>> > [0:0] -A FECESBOOK -j DROP |
6 |
>> > [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT |
7 |
>> > [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT |
8 |
>> > [0:0] -A INPUT -i lo -j ACCEPT |
9 |
>> > [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED |
10 |
>> |
11 |
>> In fact, since you're blocking all outgoing packets to facebook, the |
12 |
>> only state that a packet from facebook can have here is INVALID or NEW. |
13 |
>> So traffic from facebook will be sent to the UNSOLICITED chain and DROPped. |
14 |
>> |
15 |
>> |
16 |
>> > [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK |
17 |
>> > [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK |
18 |
>> > [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK |
19 |
>> > [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK |
20 |
>> > [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK |
21 |
>> > [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK |
22 |
>> |
23 |
>> ...making these pointless =) |
24 |
> |
25 |
> |
26 |
> I've run into at least one newspaper website (I forget which, |
27 |
> it's occasionally used for links on Slashdot) which ends up trying to |
28 |
> redirect me to a Facebook site even though the URL does not mention |
29 |
> Facebook at all. There is other integration as well. See the first |
30 |
> post in |
31 |
> http://www.dslreports.com/forum/r26618459-Increasing-integration-of-facebook-into-many-web-sites |
32 |
> I believe this may have been straightened out since then, but 13 months |
33 |
> ago that post was correct. And then there's the "LIKE" button which |
34 |
> shows up all over the web. |
35 |
> |
36 |
> The mere fact that you haven't manually typed in... |
37 |
> http://www.facebook.com/blah_blah_blah does not mean you're not |
38 |
> connecting to it. |
39 |
|
40 |
But all that's above layer 3, since it's an HTTP redirect, or a page |
41 |
transclusion which necessitates a new GET request. Michael's point |
42 |
stands. |
43 |
|
44 |
-- |
45 |
:wq |