Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: kavirajan on October 24, 2012, 04:36:06 pm
-
Hi Friends,
I came across too many blogs and threads that how to block facebook.com https but nothing is helped.
Really is there any chance to block facebook tell me, don't tell too many threads are opened for this, because i came across threads.
Please reply anyone is there any tutorial for this or any documentation for this, otherwise this product totally waste from my point of view.
-
;D This product does much more than HTTP/HTTPS filtering, thus assuming blocking facebook would not work, it will still not be totally wasted isn't it ??? :P
Joke aside, I just can't believe you really tried to find some existing solution at least within this forum.
I just typed "facebook" in the search section and found 63 posts related to something similar to your question.
OK, some are not in English... :)
Anyway, adding facebook.com in the list of denied domains will block it, this is as simple as this. It obviously assumes you are not using transparent but explicit proxy. If you use transparent proxy, thne you can block HTTP access to facebook but not HTTPS, at least using proxy features.
Then you may try to implement some workarounds. This has been discussed at length in this forum.
I know search engine is not very powerful but it nevertheless should help you.
-
Yes I am using transparent proxy, So no chance to block facebook isn't.
So is there any change chance to forward or redirect to some other web address.
Otherwise add 127.0.0.1 facebook.com to host file anything in squid file.
Is that it will work.
Please help or otherwise suggest me anything.
-
If you want to test a redirect, I think you'll have to combine at least two Zentyal 3.0 features: transparent DNS cache and denying Internet access by IP address using the HTTP proxy. If you want to redirect to an internal webserver, you can use the Zentyal webserver module.
In any case, you will want to set your redirect up and then look carefully across your network for any negative side effects and unintended consequences of your server's configuration. Regrettably, there is no method of blocking sites that I know of that blocks sites only and has no potential impact on workflow for the network's users. It may take trial and error to find the best solution for your particular situation.
-
christian,
You have to work alot and do practice with Zentyal. I think you are not in moderator stage, you are like a newbie.
I succeed if you need to my help ping me I will show step by step of blocking https site.
-
I know I still need to learn. Who doesn't ;)
I try to practice with Zentyal as much as possible but I only use it at home, thus I suppose it limits my progresses in this area.
If you know how to do it using transparent proxy, then feel fre to explain. I think it will help a lot of people here.
This said, if you read carefully what I wrote ;) I explained that using transparent proxy, you can't do this using proxy and have to implement workarounds.
But I believe you understood this already and come with solution I don't know yet. Please feel free to explain ;D
-
kavirajan,
Few additional inputs that may help you to understand why controlling HTTPS doesn't work when is used in transparent mode (except if "man-in-the-middle" is implemented but as far as I know, this is not yet done with Zentyal 3.0)
- have a look here (http://trac.zentyal.org/wiki/Documentation/Community/HowTo/SelectRightHTTPproxyDesign).
- if you don't want to read document written by a newbie, just look at this picture. It clearly shows that when using transparent proxy, HTTPS is redirected at FW level and does ot use proxy ;)
-
So you are telling me we are not able to block https sites along with transparent proxy, Is that right.
-
Sorry, I realize that you don't get me. Let me rephrase it:
If you are using transparent proxy, then controlling HTTPS can not be done using proxy but workaround like fake DNS entry or FW rules.
I though my drawing was explicit enough but it is perhaps too simplistic and do not show the very detail.
Then if you want to know everything, ensuring 100% that you do control HTTPS (or even HTTP BTW) is just impossible. Like for viruses, you will have to fight forever in order to block all the external so called "free proxy" but this is another story isn't it ;D
-
Hey thanks christian,
your flow chart helped me to understand.
Actually its worked, but refreshing or after 10 mins https facebook is working.
Please anyone help me,
66.220.149.88 www.facebook.com
66.220.152.16 www.facebook.com
69.171.234.21 www.facebook.com
69.171.237.16 www.facebook.com
69.171.247.21 www.facebook.com
If these ips are added to Clinet host file perfectly worked https facebook is blocked.
So my question is if I added this ips into Zentyal Os host or squid file, Is that will help to block.
My only drawback will be facebook https access. Please help i need to implement this weekend.
-
So my question is if I added this ips into Zentyal Os host or squid file, Is that will help to block.
As you ask this, it shows that my drawing is not clear enough or at least that you don't understand it :-[
Unfortunately, I'm not skilled enough to explain better or differently ::)
Let me try once more however: with transparent proxy, HTTPS flow does not go through proxy (here Squid) but is handled by FW only, reason why you have to implement workaround like fake DNS entries.
hint from newbie ;) : it obviously depends on which DNS your clients are using... look carefully at this drawing again. Use of DNS is different whenever you use transparent or explicit proxy.
-
Hi Christain,
Then please help how to create fake dns or Fw rules, facebook is only drawback.
Please explain with real time example, its so helpful for us.
Is there any chance or not atleast using fake dns or Fw. Please tell me directly.
-
There have been a couple of discussions about blocking Facebook, some solutions may work to some extend.
There is a topic that suggests blocking complete subnets with the firewall, at the risk of blocking legitimate sites.
Fake DNS may work but then again, you can surf to some proxy site and enter facebook from there...
And what about using other DNS servers? Is the Zentyal transparent DNS a catch-all solution?
Cheers.
-
The only way to block any web site that is using HTTPS is to block HTTPS at FW level and also prevent use of external "free proxy" (which is almost impossible :-\).
This will quickly lead you toward another approach that is to authorize only sites explicitly and deny what is not authorized.
This does work but there is no such thing a a free lunch isn't it? ;D ;D
So, at the end, this is a balance between tightly controlled web access but few added value for end-users (perhaps this may fit your own expectation) and reasonably controlled access but not 100%.
For sure, use of transparent proxy make this slightly less easy but this is another discussion.
-
Is there any chance or not atleast using fake dns or Fw. Please tell me directly.
You've probably already understood this from what christian and Escorpiom have already said, but there is no chance that you can do any one or two things and completely block access to Facebook. Using an explicit proxy may make that particular task easier, but at the possible or probable expense of complicating several other things on your network.
There really is no free lunch here. There is no simple step-by-step recipe to follow to block Facebook that will work for everybody, to my knowledge. :(
-
Please anyone tell me how to make fake facebook.com dns entry in zentyal DNS server.
please go through the link
http://www.linuxquestions.org/questions/linux-newbie-8/iptable-rules-to-block-https-www-facebook-com-919096/
Need to add
iptables -N FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 80 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 80 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 80 -j FACEBOOK
iptables -A FACEBOOK -j REJECT
But i dono where is the iptables file exactly.
-
Will clarkconnect will work now.
-
hi friends,
Please anyone help me to block facebook in https on non transparent mode, and also tell me how to block https site in non transparent mode.
Because i am going to use two servers one for non transparent another one for transparent mode to block https and http site.
so please help me to block https sites in non transparent mode.
-
Kavirajan,
I merged again your posts.
1 - Please do not start another new post with same content and same question just because you didn't get the expected answer with the previous posts. You can still bump the previous ones.
2 - From my standpoint, you already got the full set of information. If this is not clear enough, feel free to explain, within existing posts, what is not clear to you.
-
Please anyone help me to block https in non transparent mode.
-
With explicit proxy:
- be sure that firewall doesn't permit HTTP and HTTPS flow to reach internet directly (otherwise users can bypass your proxy)
- in "proxy/filter profile/domain filter settings" section, ensure that access to IP address is blocked
- in "proxy/filter profile/domain & URL rules" add facebook.com domain with deny decision
et voila... so much easy.
Well, this is not 100% blocked. Users able to select external proxy can still access facebook but this will already limit a lot.
With access to IP denied, it will limit further.
Content filter threshold will block some external proxies and to converge toward holy-grail, you will have to look at log and add some more domains.
-
Hi Christian,
Its not worked for me, actually its not for non transparent method,
If you know plz help otherwise plz shut, some one can help.
I dont need http proxy, i need only firewall.
-
;D you want to block facebook using FW only and not HTTP proxy ?
So do it adding (multiple) IP addresses in your firewall an denying access to it. So much easy to explain it but impossible to achieve it.
Joke aside, I suppose this is because of language difference but I don't understand what you target (except that you want to block access to facebook)
So, spend time explaining better your goal and you may have some members here prone to help you. Not me BTW because I'm lost with all these back and forth.
-
If you know plz help otherwise plz shut, some one can help.
I dont need http proxy, i need only firewall.
I think all the information you need is in this topic, thanks in large part to christian.
I think you might be confused by the iptables information you've found elsewhere. There is no need to edit iptables by hand. You can accomplish the same thing using Zentyal's firewall and service tools, and the network object tools if you want to create a Facebook object (where all your Facebook IP addresses could go). Create an HTTPS service using port 443, then set firewall rules for both HTTP and HTTPS accordingly.