Chrome circumvents the firewall!!!
-
Hello everyone:
I setup firewall to block facebook.com using facebook cidr network given by 173.252.64.0/18. I'm running http proxy server squid along network analyzer lightsquid. The proxy is not transparent and im using the defaul port 3128. So here is the weird thing. Facebook is completely blocked using ie and firefox but I can still navigate Facebook using Chrome. BTW I used internet option to set the proxy to the pfsense host with port 3132. Any idea why is that happening? How can i fix this?Thanks.
-
facebook cidr network given by 173.252.64.0/18
Vastly incomplete… http://bgp.he.net/AS32934
I'm running http proxy server
Considering the entire facebook is HTTPS, just what exactly do you think you are proxying?
-
You are right! the cidr network that I have is for facebook.com. This one is for www.facebook.com 66.220.144.0/20.
I am using proxy because I like to have lightsquid to monitor the untilization of network. I am going apply the additional network and see what happens.
Thanks.
-
There is a long list of IPs potentially used by Facebook.
This is how I do it: https://forum.pfsense.org/index.php?topic=69860.msg383922#msg383922 -
List is also available in Hurricane Electric IPv4 and v6…. Easy to use with pfBlockerNG.
http://bgp.he.net/search?search%5Bsearch%5D=facebook&commit=Search
-
After using ur reference to the complete list of cidr of facebook, the firewall blocked facebook completely (no squid is installed). However once I installed and configued squid, then the firewall rule is broken and im able facebook completely whether squid is configured to be transparent or not! Why is that???
Thanks.
-
If you want to block facebook entirely, just set facebook.com to 0.0.0.0 and block dns out.
-
That's another way I could try. But why squid breaks the the rule of the firewall?
-
because squid doesnt run on LAN
-
Its not that is not doesn't listen on lan, you talk to squid, squid goes and gets what you asked for from the firewall itself, not from a box on the lan. So it doesn't see those rules you have for lan clients going through the normal interface.
Read up on how and what a proxy is would be my suggestion.