Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to block dropbox website

    Scheduled Pinned Locked Moved pfSense Packages
    5 Posts 3 Posters 16.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      smizzio
      last edited by

      Hi i have installed on my pfsense squid and dansguardian.
      I have downloaded from shalla blacklist and configured.
      I want to disable access to dropbox website.
      In proxy server configuration i added dropbox to blacklisted site: now i can't access to http://dropbox.com but i can access to https://dropbox.com
      Ther is the possibility to block this site?
      In my lan i have to block it for 5 computers.

      Thanks to all!

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        And what do these computers use for dns?  A simple way of preventing users from using such tools and sites is to just prevent the dns lookup.  If they use pfsense box for dns, just put in a host over ride for the domain that points nowhere.

        Now the client will not resolve, now browser will not resolve anything.dropbox.com

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • K
          Klaws
          last edited by

          Just block dropbox's IP address range (199.47.216.0/22) in the firewall.

          DNS overrides can be circumvented if the user chooses a different DNS server. You can, of course, block DNS queries to other DNS servers, to make things a bit harder for the user.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            They own more than that.  Yes dns is not always the perfect solution, but he has not stated the skill set of his userbase.  And yes I would assume he prevents the use of other dns by blocking upd/tcp 53 outbound as well.

            notify21.dropbox.com

            CIDR:          108.160.160.0/20
            NetName:        DROPBOX

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • K
              Klaws
              last edited by

              @johnpoz:

              […] he has not stated the skill set of his userbase.

              That's the point. Of course, the user can also use proxies to circumvent IP address blocks. Some procies have HTTP/HTML interfaces, so users won't even have to reconfigure their browsers.

              Dropbox is, of course, a service for losers. ;) Geeks would have their own FTP servers, shell boxes, VPN endpoints. They might even bring in their own 3G router if they feel the urge to bypass the firewall with their work PC. I've even seen idiots unplugging the fax machine to dial into the internet via an old analogue modem (with the result that, on the next day, large parts of the companies's IT were infected by a virus).

              The Computer Science lessons in school are actually a good way for kids to learn hacking firewalls. Not because it's taught (it isn't), but because the school's firewall is pretty restrictive. Once one kid finds out how to circumvent the blocks, this knowledge will spread to the other kids. If one these kids has a parent, and this parent is one of smizzio's users, this user might trun into a "script kiddie", erm, "script daddy/mommy" ;) - capable of circumventing security measures, but not understanding the risk.

              Logging is a way to get the user's attention (if it's allowed in your country). Make sure that the users know that every bit of traffic is logged and that they'll get into trouble if anything pops up which might look like an IP address of a proxy, dropbox, VPN tunnels, whatever. if you don't want to be seen as the "network nazi", you might mention that surfing for lolcats is okay. ;)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.