I configured HTTPS introducion but people still go HTTPS facebook

aslanlargibi

A few months ago my users cant login to facebook via https

but now they can connect, i deleted and added something, i played with it but i cant figure out

i dont want to any people go sign in with HTTPS and i want block facebook, youtube pages with HTTPS

here is my screenshots

http://img.ctrlv.in/img/521b4a71a88f0.png

http://img.ctrlv.in/img/521b4a2437122.png

is there any tutorial with updated IP or subject ? how to block pfsense https tunnel ?

thank you

doktornotor

No, you still cannot meaningfully block facebook by blocking IPs. Stop wasting your time.

kejianshi

You can white list, which is draconian, or you can unplug the internet which is equally draconian or you can crack knuckles with a ruler when people visit facebook, if its a school or business or something.

Sometimes giving up is the correct choice though.

scornaky

Hi,

I used this list:

Updated list as of 6/11/2013

204.15.20.0/22
69.63.176.0/20

66.220.144.0/20
66.220.144.0/21
69.63.184.0/21
69.63.176.0/21
74.119.76.0/22
69.171.255.0/24
173.252.64.0/18
69.171.224.0/19
69.171.224.0/20
103.4.96.0/22
69.63.176.0/24
173.252.64.0/19
173.252.70.0/24
31.13.64.0/18
31.13.24.0/21
66.220.152.0/21
66.220.159.0/24
69.171.239.0/24
69.171.240.0/20
31.13.64.0/19
31.13.64.0/24
31.13.65.0/24
31.13.67.0/24
31.13.68.0/24
31.13.69.0/24
31.13.70.0/24
31.13.71.0/24
31.13.72.0/24
31.13.73.0/24
31.13.74.0/24
31.13.75.0/24
31.13.76.0/24
31.13.77.0/24
31.13.96.0/19
31.13.66.0/24
173.252.96.0/19
69.63.178.0/24
31.13.78.0/24
31.13.79.0/24
31.13.80.0/24
31.13.82.0/24
31.13.83.0/24
31.13.84.0/24
31.13.85.0/24
31.13.87.0/24
31.13.88.0/24
31.13.89.0/24
31.13.90.0/24
31.13.91.0/24
31.13.92.0/24
31.13.93.0/24
31.13.94.0/24
31.13.95.0/24
69.171.253.0/24
69.63.186.0/24
204.15.20.0/22
69.63.176.0/20
69.63.176.0/21
69.63.184.0/21
66.220.144.0/20
69.63.176.0/20

make an alias, - block list

source:http://stackoverflow.com/questions/11164672/list-of-ip-space-used-by-facebook

From what i read, what i tryied, you can' filter https content in transparent proxy ( if u are using squid).

1. install squid and squidguard

you can block everthing you want but not https:

http://doc.pfsense.org/index.php/Setup_Squid_as_a_Transparent_Proxy

block or allow in categories. Create a special category that you want to block: all social network. ( put inside facebook.com twitter.com youtube.com ) . Read documentation […]

2. add an alias in firewall settings - ex: facebook and block it in rules.

That-s it. And take a look how the address are written  / 24  /19.

Spor!

kejianshi

You can also set up DNS with OpenDNS or DynDNS and they have settings within their service to block social media and other things that it might be a pain to do inside a firewall.

GruensFroeschli

Or you could always put up (wildcard) domain overrides on the dns forwarder to 127.0.0.1.

aslanlargibi

here is the latest view admin panel about blocking facebook

http://img.ctrlv.in/img/521c47f65b870.png

http://img.ctrlv.in/img/521c480e5be4e.png

do i need put more facebook IPS and CIDR ?

i am using squid and squidguard.

how i will able to make an alias ? i am newbie lil

thank you

kejianshi

You are never going to get there this way…
Please give the DNS option a shot.

scornaky

1 - Only if u want to block all :) facebook ip address

2. First picture show how facebook is blocked by squidguard categories: so all page from facebook.com are blocked.

2. rest block by ip

Spor la treaba!

scornaky

@kejianshi:

You are never going to get there this way…
Please give the DNS option a shot.

ok.. try it ..

but ..  https://de-de.facebook.com/‎

Bienvenido a Facebook en Español (España)!
https://es-es.facebook.com/‎

are working if u put by dns? yes it works. so you want to put all subdomain?

Ofcourse you now that subdomain.facebook.com is not the same like facebook.com

aslanlargibi

here is the DNS shot

and computers DNS i put  192.168.1.253 (my pfsense ip)

http://img.ctrlv.in/img/521c8ea0ea25e.png

any idea ?

thanks

kejianshi

Yeah - get yourself a free opendns account or DynDNS account.  Set up the dynamic DNS client in the pfsense menu.  Then put the DNS server IPs for the free account you set up in there in place of the IPs you currently have.  Uncheck the "Allow DNS list to be overridden" block.  Save that.  Then go into either the opendns account or DynDNS account you set up online.  Login.  Change your DNS options to filter whatever you like.

Next, you will have to make sure that all of your client machines use ONLY pfsense to get their DNS.  That is done from the settings on each machine separately.  After all this is working, you can set up some rules that block the clients from getting to port 53 on any machine other than pfsense.

GruensFroeschli also mentioned DNS overrides.  Not sure what he had in mind, but his idea may also be doable.

aslanlargibi

kejianshi i did what you say and now it works.

thank you guys!

kejianshi

Ahhhh - Good.  I did write up how to do that a while ago, but virtually no one even looked at it.  I figured there was no interest.
Yeah.  It worked for me too that way, but I really don't need the filtering now so I just run straight untampered DNS these days.

GruensFroeschli

@kejianshi:

GruensFroeschli also mentioned DNS overrides.  Not sure what he had in mind, but his idea may also be doable.

On the DNS forwarder page you can create a wildcard override as described here.
http://doc.pfsense.org/index.php/Wildcard_Records_in_DNS_Forwarder

If you override *.facebook.com to 127.0.0.1 this should essentially block facebook.

kejianshi

Would it be possible to override them and redirect to a specified HTTPS page that says something like "That page isn't allowed" or whatever?

GruensFroeschli

Sure. As long as the webserver to which you resolve the domain to provides a page for this domain.

kejianshi

I was thinking maybe such a page could be rolled into a package for pfsense somewhere, perhaps in an add on package.  The idea being that you could use such a DHCP redirect to catch all the filtering that squid based filtering misses - pretty much just the https stuff.  Having a block/filter terminate in a pretty page makes admins smile.

I suppose such a page might even have to rest on the open web if 443 was already in use on pfsense.

Maybe just something that says "I'm sorry - Your administrator doesn't allow access to this site"

Followed by a series of banner ads to pay for bandwidth.  haha

tyoungls

I realize this is a fairly dead thread, but it was one that came up when I was googling the topic.

My solution was a cross between a number of the ones given.

I made a wildcard DNS for the site youtube.com and pointed it to one youtube server:  74.125.230.167
(look up a current server instead of using this IP)

We have a rule to block https to that ip, and then we use squid-guard to limit youtube access during working-hours.

That seems to be working for the moment.

the down-side is that we will need to update our rules if that particular youtube server goes down…

Harvy66

Also ignoring that you broke HTTPS in the process. You can't proxy HTTPS without breaking its security. Many exploits have been done around this, like forcing Windows update to install Malware. Amazing what you can do when you tell clients to trust fake CAs.