How to block dropbox website

smizzio · Feb 21, 2013, 7:08 PM

Hi i have installed on my pfsense squid and dansguardian.
I have downloaded from shalla blacklist and configured.
I want to disable access to dropbox website.
In proxy server configuration i added dropbox to blacklisted site: now i can't access to http://dropbox.com but i can access to https://dropbox.com
Ther is the possibility to block this site?
In my lan i have to block it for 5 computers.

Thanks to all!

johnpoz · Feb 22, 2013, 9:24 PM

And what do these computers use for dns? A simple way of preventing users from using such tools and sites is to just prevent the dns lookup. If they use pfsense box for dns, just put in a host over ride for the domain that points nowhere.

Now the client will not resolve, now browser will not resolve anything.dropbox.com

Klaws · Feb 23, 2013, 11:21 AM

Just block dropbox's IP address range (199.47.216.0/22) in the firewall.

DNS overrides can be circumvented if the user chooses a different DNS server. You can, of course, block DNS queries to other DNS servers, to make things a bit harder for the user.

johnpoz · Feb 23, 2013, 12:28 PM

They own more than that. Yes dns is not always the perfect solution, but he has not stated the skill set of his userbase. And yes I would assume he prevents the use of other dns by blocking upd/tcp 53 outbound as well.

notify21.dropbox.com

CIDR: 108.160.160.0/20
NetName: DROPBOX

Klaws · Feb 23, 2013, 2:08 PM

@johnpoz:

[…] he has not stated the skill set of his userbase.

That's the point. Of course, the user can also use proxies to circumvent IP address blocks. Some procies have HTTP/HTML interfaces, so users won't even have to reconfigure their browsers.

Dropbox is, of course, a service for losers. ;) Geeks would have their own FTP servers, shell boxes, VPN endpoints. They might even bring in their own 3G router if they feel the urge to bypass the firewall with their work PC. I've even seen idiots unplugging the fax machine to dial into the internet via an old analogue modem (with the result that, on the next day, large parts of the companies's IT were infected by a virus).

The Computer Science lessons in school are actually a good way for kids to learn hacking firewalls. Not because it's taught (it isn't), but because the school's firewall is pretty restrictive. Once one kid finds out how to circumvent the blocks, this knowledge will spread to the other kids. If one these kids has a parent, and this parent is one of smizzio's users, this user might trun into a "script kiddie", erm, "script daddy/mommy" ;) - capable of circumventing security measures, but not understanding the risk.

Logging is a way to get the user's attention (if it's allowed in your country). Make sure that the users know that every bit of traffic is logged and that they'll get into trouble if anything pops up which might look like an IP address of a proxy, dropbox, VPN tunnels, whatever. if you don't want to be seen as the "network nazi", you might mention that surfing for lolcats is okay. ;)