How can I block Social Networking Sites

pj_singh · Feb 28, 2011, 7:01 PM

Hi,
Can somebody please explain me how can I block Social Networking sites like facebook from my office lan. Please advise the blocking from both http as well as https protocols as these sites could also be reached via https.

I am currently using Untangle and it is not solving my purpose as to block https://facebook.com, it made me block port 443 which also blocked other important sites and services like https://www.gmail.com

Thanks.

PJ

jimp · Feb 28, 2011, 7:38 PM

Unless you manually configure (or push with WPAD/GPO/etc) the clients to use the proxy ports directly, and not in transparent mode, you can't block HTTPS sites by URL.

Unless you proxy in the way described, you can really only block by IP address. You could try to blackhole the DNS for the domains you want to block, but you'd also have to lock down DNS for that to work properly as well.

Cino · Feb 28, 2011, 7:39 PM

you can try SquidGuard to block Facebook. I haven't used it in a while, or squid for that matter(you need squid to use SquidGuard) It will block HTTP traffic as Ive used it on my other half and she wasn't happy. For HTTPS Proxy you can't use transparent mode, you have to hard code the proxy ip/port within the browsers your using. You can use WPAD to autoconfig this this setting for you.. http://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

I always wanted to try Untangle but it needs too much horsepower for what I have to spare…. I could be wrong here but I'm thinking your using it in transparent mode on Untangle? If so, try hard-coded the proxy ip/port into your browser and see if it will stop https://facebook now...

pj_singh · Feb 28, 2011, 7:48 PM

Many thanks for your valuable response.

Actually Untangle sorts out most issues. However fails badly on HTTPS blocking. My friend got his Linux box configured with Red Hat running Squid. Surprisingly it is blocking the https with a charm. However he is not sure about the settings as the box is under warranty so I am pretty relying on this forum. Someone told me that Squid works seamlessly with pfsense. I want to know will it also perform wild-card blocking e.g. *.facebook.com etc. Actually this feature is available in a windows based firewall named Kerio. However I am determined to get the same feature in pfSense.
Please advise.

Guest · Feb 28, 2011, 8:41 PM

Blocking HTTPS requires proxy settings in place in the client browser. This is why Jim, et al. are suggesting you set up WPAD. Once your client browsers know to proxy all their connections through squid, you can filter them to your heart's delight.

joako · Mar 6, 2011, 9:05 AM

If all you care to do is block facebook, create a firewall rule to block 69.63.176.0/20

Hugovsky · Apr 27, 2011, 2:30 PM

Or use DNS Forward to do it.