[Solved]Is Aliases can block?



  • Hello guys i have question with the Aliases.

    I go at IP. then i click add then i choose HOST i input like www.twitter.com then save name like "block"

    Then i go to Firewall > Rules > Lan then i add block then i set in Single host or alias, then i choose "block".

    Then i clear all history in chrome then i reload the Filter Reload in the PFSense. then i search twitter and still able to browse the twitter.



  • Yes, aliases can be used to block.
    Works best using IP's, but it can work using URL. The URL will get resolved for you.

    @Vincent_28 said in Is Aliases can block?:

    I go at IP. then i click add then i choose HOST i input like www.twitter.com then save name like "block"

    Wait ...
    You think www.twitter.com points to a (one :) unique IP ?
    If that was so, it would probably work : the URL ( www.twitter.com ) will get converted to an IP - the IP from twitter - and you'll be happy.
    Btw : the firewall uses IP's, not URL's.

    Now for bad news :
    twitter - youtube - facebook, outlook, yahoo - netflix - amazon - etc etc etc (the big ones) use not one IP.
    They use thousands of IP's .... and they also use many IPv6 ....
    And to make things wore : they maintain there servers, and when they do so, they take it out of the "circulation" (they remove the IP as a possible A address) - and put in others in place.
    They do the same thing for load balancing.

    Look at this :

    [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: dig twitter.com A +short
    104.244.42.65
    104.244.42.129
    

    I wait a minute or so and repeat the command :

    [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: dig twitter.com A +short
    104.244.42.193
    104.244.42.129
    

    You saw it ? One of the IP's changed !

    So, no, putting in an URL in alias and think that will help you to block a domain name, that's ok and often works. But not for the "big ones".

    The subject is known, you can find many forum messages about this subject.
    You'll be needing pfBlockerNG or something Squid family (have no experience with the latter).



  • You may be better blocking via ASN number with pfBlockerNG-devel.

    AS details for AS13414 :-

    aut-num: AS13414
    as-name: TWITTER
    descr: Twitter
    import: from AS-ANY accept ANY AND NOT {0.0.0.0/0}
    export: to AS-ANY announce AS-TWITTER AND NOT {0.0.0.0/0}
    admin-c: NETWO3685-ARIN
    tech-c: NETWO3685-ARIN
    notify: noc@twitter.com
    mnt-by: MAINT-AS13414
    changed: rcarroll@twitter.com 20190702 #08:43:36Z
    source: RADB

    IPv4 subnets for AS13414 :-

    199.96.57.0/24
    199.16.156.0/22
    199.59.148.0/22
    192.133.76.0/22
    192.133.76.0/23
    199.96.59.0/24
    199.96.58.0/24
    199.96.63.0/24
    199.96.56.0/21
    103.252.112.0/22
    103.252.114.0/23
    185.45.4.0/23
    69.12.56.0/21
    104.244.42.0/24
    185.45.5.0/24
    185.45.4.0/24
    199.96.56.0/24
    202.160.128.0/22
    202.160.128.0/24
    202.160.129.0/24
    202.160.130.0/24
    202.160.131.0/24
    104.244.40.0/24
    104.244.41.0/24
    185.45.6.0/23
    192.44.68.0/23
    192.48.236.0/23
    199.96.56.0/23
    199.69.58.0/23
    199.96.60.0/23
    199.96.62.0/23
    192.44.68.0/24
    192.44.69.0/24
    103.252.112.0/23
    104.244.44.0/24
    104.244.45.0/24
    104.244.46.0/24
    104.244.47.0/24
    69.195.160.0/19
    209.237.192.0/19
    209.237.192.0/24
    209.237.193.0/24
    209.237.194.0/24
    209.237.195.0/24
    209.237.196.0/24
    209.237.197.0/24
    209.237.198.0/24
    209.237.199.0/24
    209.237.200.0/24
    209.237.201.0/24
    209.237.202.0/24
    209.237.203.0/24
    209.237.204.0/24
    209.237.205.0/24
    209.237.206.0/24
    209.237.207.0/24
    209.237.208.0/24
    209.237.209.0/24
    209.237.210.0/24
    209.237.211.0/24
    209.237.212.0/24
    209.237.213.0/24
    209.237.214.0/24
    209.237.215.0/24
    209.237.216.0/24
    209.237.217.0/24
    209.237.218.0/24
    209.237.219.0/24
    209.237.220.0/24
    209.237.221.0/24
    209.237.222.0/24
    209.237.223.0/24
    69.195.160.0/24
    69.195.161.0/24
    69.195.162.0/24
    69.195.163.0/24
    69.195.164.0/24
    69.195.165.0/24
    69.195.166.0/24
    69.195.167.0/24
    69.195.168.0/24
    69.195.169.0/24
    69.195.170.0/24
    69.195.171.0/24
    69.195.172.0/24
    69.195.173.0/24
    69.195.174.0/24
    69.195.175.0/24
    69.195.176.0/24
    69.195.177.0/24
    69.195.178.0/24
    69.195.179.0/24
    69.195.180.0/24
    69.195.181.0/24
    69.195.182.0/24
    69.195.183.0/24
    69.195.184.0/24
    69.195.185.0/24
    69.195.186.0/24
    69.195.187.0/24
    69.195.188.0/24
    69.195.189.0/24
    69.195.190.0/24
    69.195.191.0/24
    64.63.0.0/18
    104.244.43.0/24
    64.63.63.0/24
    64.63.62.0/24
    103.55.162.0/24

    IPv6 subnets for AS13414 :-

    2400:6680::/32
    2606:1f80::/32
    2a04:9d40::/29

    Monday, 18 November 2019 at 11:07:37 Greenwich Mean Time


  • LAYER 8 Global Moderator

    And then lets not forget that these services that are served up via CDN, the same CDNs will be hosting other services... So blocking xyz.com could also block abc.com

    If you want to play internet police - then you should use a proxy.. Proxy will prevent going to xyz.com but allow going to abc.com - even if hosted off the same IP.

    Or just block at a dns level.. So can not lookup xyz.com, but you can lookup abc.com to go there.



  • Maybe Snort & openappid-social_networking.rules, there is a rule for Twitter.


  • LAYER 8 Global Moderator

    Be easier to just not anything.twitter.com to be resolved ;) And don't let any other dns out..

    Not sure why anyone want to block twitter though, I could see high bandwidth sites like youtube, etc. Where users streaming video could hog up bandwidth.. But some tweets? Not real bandwidth killers ;)



  • Thanks for the info.


Log in to reply