Blocking orkut

galindro

Hi all

I'm trying to block the orkut site (www.orkut.com). How can i block then with pfsense?

I search for this in google and i find this: iptables -A FORWARD -d www.orkut.com -p tcp –dport 443 -j DROP

I try to put this rule in the rules section but not works. Its says an error message:

The following input errors were detected:
A valid destination IP address or alias must be specified.

Then, I'm trying to create an alias to host orkut.com and not works again. I choose the type host and in the section IP I put orkut.com. The error is:

The following input errors were detected:
A valid address must be specified.

What wrong with these rules? Anybody can helps me?

Sorry my poor english

thanks

GruensFroeschli

You cannot enter URL's into an IP-field.
You have to put in this field the IP or create an alias with this IP and put the alias there.
Look the IP of the adresse www.orkut.com up and fill in the IP of the server.

galindro

Ok I undestand, but how can I insert this rule: iptables -A FORWARD -d www.orkut.com -p tcp –dport 443 -j DROP on pfsense's web-interface?

GruensFroeschli

Just create a firewall rule with the appropriate IP?

(Firewall–>Rules.......)

galindro

Yes, I know that. The orkut's ips is:

209.85.193.85
209.85.193.86
209.85.193.87
209.85.193.94

But, if I create a rule denying these IPs, the access to www.orkut.com is still keeping allowed.

I noticed that when the site www.orkut.com is opened, the browser redirect the www.orkut.com to https://www.google.com/accounts/ServiceLogin?service=orkut&continue=http%3A%2F%2Fwww.orkut.com%2FRedirLogin.aspx%3Fmsg%3D0%26page%3Dhttp%253A%252F%252Fwww.orkut.com%252F&hl=pt-BR&passive=true

My problem is: How can I block the site www.orkut.com?

P.S.: the squid does not works because the orkut uses https.

GruensFroeschli

hmm… if orkut.com only relais to a google server then i dont think you can use normal firewallrules.

what you could try:
If your clients use pfSense als DNS Server you could setup on the DNSforwarder-config-page a new DNS-authorative server that does not resolve the domain.
You can override whol domains there.
Just set the DNS server to something invalid and your clients behind pfSense should no longer be able to resolve orkut.com
But if your clients access the google-page page directly.......

I dont really know squid but i think there should be some way to filter this with it.
Maybe someone else could help you with this.

galindro

A correction:

iptables -A FORWARD -d www.orkut.com -p tcp –dport 443 -j DROP does not works on freebsd. This is a rule of linux iptables. I'm sorry…

Backing on the orkut:

I do this in DNSforwarder-config-page:

Below you can override an entire domain by specifying an authoritative dns server to be queried for that domain.

Domain                  IP          Description 
www.orkut.com  0.0.0.0        Orkut   
orkut                        0.0.0.0      Orkut 
orkut.com              0.0.0.0            Orkut

I click on save, but does not works…. :(    The f**** orkut is keeping had access

Do I somenting wrong?

GruensFroeschli

nothing wrong. Just tried it too.
i never really worked with the override domain thing and it was just an idea. But apparently one that does not work :)

maybe someone from the squid-camp in this forum can help you.

galindro

Ok thanks for the help.

One more thing:

it's possible to insert a pf rule seemed with this iptables rule on pfsense's web-interface?

iptables -A FORWARD -d www.orkut.com -p tcp –dport 443 -j DROP

In the Internet, many sites say that this rule is enough to block orkut, because it blocks the domain orkut, not the IP's. But this rule only works in iptables. I do not know I eat to translate it for pfsense.

This is my last shot before go to the squid-camp

GruensFroeschli

http://www.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8&apropos=0&manpath=FreeBSD+6.2-RELEASE

galindro

Which script initiates pf in the pfsense and where it is located?

In the /etc/defaults/rc.conf, the tag pf_enable is set to "NO".
The /etc/pf.conf is entirely commented.

It's impossible to insert that iptables rule, of course translated to pf, through pfsense's web-interface?

thanks for the help.

sai

@galindro:

A correction:

Backing on the orkut:

I do this in DNSforwarder-config-page:

Below you can override an entire domain by specifying an authoritative dns server to be queried for that domain.

Domain                  IP           Description 
www.orkut.com    0.0.0.0          Orkut       
orkut                         0.0.0.0      Orkut 
orkut.com               0.0.0.0            Orkut

I click on save, but does not works…. :(

Do I somenting wrong?

Your users need to have ONLY pfsense as their DNS server. That will work. If they have other sources for DNS then it will not work

cdsu

I block my users with opendns.com

galindro

It works with OpenDNS. thanks cdsu.