Trying to block sites for a school network (i.e. myspace, etc)



  • I'm running a network for an elementry school, and will be installing a pfsense box as a content filter. I'm trying to block some sites such as MySpace and any other sites that they tell me they don't want the kids accessing.

    So I determined the myspace IP (216.178.32.51) by pinging it and then set a LAN rule to block it, like so:

    Proto    Source    Port      Destination        Port    Gateway    Description
    TCP      *            *          216.178.32.51  *        *     
    *          LAN net  *          *                      *        *              Default LAN -> any

    And, after reading another post about blocking AIM and MSN messenger, i got the idea to use DNS Forwarder to set a fake resolution, like so:

    Host        Domain            IP              Description 
    myspace  myspace.com  127.0.0.1    myspace fake

    Going to 216.178.32.51 in a web browser fails, but going to myspace.com does in fact still work; even though it takes a little longer, I guess it still resolves somehow. I also tried to set it to like 1.1.1.1 instead of 127.0.0.1 as I had seen in another post, but neither worked.

    I'm stumped and would really like some help.  I also installed the Squid package, and from what I gather that can be used to filter content as well, but I have no idea how to get that working.

    Any help would be greatly appreciated.  The best way to block websites with pfsense is what I'd like to do… however that may be.



  • If you do

    nslookup myspace.com

    you'll see that in addition to 216.178.32.51 you should also block access to

    216.178.32.48, 216.178.32.49, 216.178.32.50



  • Awesome, thanks.

    As a side note for anyone else who might be tyring to block myspace… heres all the URLs that (at least so far) I have found for myspace.  They include myspace.com, vids.myspace.com, login.myspace.com, and home.myspace.com.  I wouldnt be suprised if I missed some. I found all these because my browser, after being rejected, gets redirected to google.com's search, where you can 'view a cached page' of myspace.com.  This is a partial bypass of the firewall I had set to block only 'myspace.com' IPs, because of their subdomains.  So, this might be helpful if you're in the same spot as me, thought I'd pass it along.

    216.178.32.48, 216.178.32.49, 216.178.32.50, 216.178.32.51, 216.178.32.34, 216.178.32.40, 216.178.32.41, 216.178.32.42, 216.178.32.45, 63.208.226.224

    I made all these IPs an alias to make for an easier firewall block rule.



  • Plain firewall rules really isn't sufficient to block web sites, if you want to do it effectively.  Anyone looking to block web sites should look at a proxy server in addition to your perimeter firewall.


Locked