Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trying to block sites for a school network (i.e. myspace, etc)

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      digitalx2001
      last edited by

      I'm running a network for an elementry school, and will be installing a pfsense box as a content filter. I'm trying to block some sites such as MySpace and any other sites that they tell me they don't want the kids accessing.

      So I determined the myspace IP (216.178.32.51) by pinging it and then set a LAN rule to block it, like so:

      Proto    Source    Port      Destination        Port    Gateway    Description
      TCP      *            *          216.178.32.51  *        *     
      *          LAN net  *          *                      *        *              Default LAN -> any

      And, after reading another post about blocking AIM and MSN messenger, i got the idea to use DNS Forwarder to set a fake resolution, like so:

      Host        Domain            IP              Description 
      myspace  myspace.com  127.0.0.1    myspace fake

      Going to 216.178.32.51 in a web browser fails, but going to myspace.com does in fact still work; even though it takes a little longer, I guess it still resolves somehow. I also tried to set it to like 1.1.1.1 instead of 127.0.0.1 as I had seen in another post, but neither worked.

      I'm stumped and would really like some help.  I also installed the Squid package, and from what I gather that can be used to filter content as well, but I have no idea how to get that working.

      Any help would be greatly appreciated.  The best way to block websites with pfsense is what I'd like to do… however that may be.

      1 Reply Last reply Reply Quote 0
      • A
        andrewp
        last edited by

        If you do

        nslookup myspace.com

        you'll see that in addition to 216.178.32.51 you should also block access to

        216.178.32.48, 216.178.32.49, 216.178.32.50

        1 Reply Last reply Reply Quote 0
        • D
          digitalx2001
          last edited by

          Awesome, thanks.

          As a side note for anyone else who might be tyring to block myspace… heres all the URLs that (at least so far) I have found for myspace.  They include myspace.com, vids.myspace.com, login.myspace.com, and home.myspace.com.  I wouldnt be suprised if I missed some. I found all these because my browser, after being rejected, gets redirected to google.com's search, where you can 'view a cached page' of myspace.com.  This is a partial bypass of the firewall I had set to block only 'myspace.com' IPs, because of their subdomains.  So, this might be helpful if you're in the same spot as me, thought I'd pass it along.

          216.178.32.48, 216.178.32.49, 216.178.32.50, 216.178.32.51, 216.178.32.34, 216.178.32.40, 216.178.32.41, 216.178.32.42, 216.178.32.45, 63.208.226.224

          I made all these IPs an alias to make for an easier firewall block rule.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Plain firewall rules really isn't sufficient to block web sites, if you want to do it effectively.  Anyone looking to block web sites should look at a proxy server in addition to your perimeter firewall.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.