I configured HTTPS introducion but people still go HTTPS facebook



  • A few months ago my users cant login to facebook via https

    but now they can connect, i deleted and added something, i played with it but i cant figure out

    i dont want to any people go sign in with HTTPS and i want block facebook, youtube pages with HTTPS

    here is my screenshots

    http://img.ctrlv.in/img/521b4a71a88f0.png

    http://img.ctrlv.in/img/521b4a2437122.png

    is there any tutorial with updated IP or subject ? how to block pfsense https tunnel ?

    thank you


  • Banned

    No, you still cannot meaningfully block facebook by blocking IPs. Stop wasting your time.



  • You can white list, which is draconian, or you can unplug the internet which is equally draconian or you can crack knuckles with a ruler when people visit facebook, if its a school or business or something.

    Sometimes giving up is the correct choice though.



  • Hi,

    I used this list:

    Updated list as of 6/11/2013

    204.15.20.0/22
    69.63.176.0/20

    66.220.144.0/20
    66.220.144.0/21
    69.63.184.0/21
    69.63.176.0/21
    74.119.76.0/22
    69.171.255.0/24
    173.252.64.0/18
    69.171.224.0/19
    69.171.224.0/20
    103.4.96.0/22
    69.63.176.0/24
    173.252.64.0/19
    173.252.70.0/24
    31.13.64.0/18
    31.13.24.0/21
    66.220.152.0/21
    66.220.159.0/24
    69.171.239.0/24
    69.171.240.0/20
    31.13.64.0/19
    31.13.64.0/24
    31.13.65.0/24
    31.13.67.0/24
    31.13.68.0/24
    31.13.69.0/24
    31.13.70.0/24
    31.13.71.0/24
    31.13.72.0/24
    31.13.73.0/24
    31.13.74.0/24
    31.13.75.0/24
    31.13.76.0/24
    31.13.77.0/24
    31.13.96.0/19
    31.13.66.0/24
    173.252.96.0/19
    69.63.178.0/24
    31.13.78.0/24
    31.13.79.0/24
    31.13.80.0/24
    31.13.82.0/24
    31.13.83.0/24
    31.13.84.0/24
    31.13.85.0/24
    31.13.87.0/24
    31.13.88.0/24
    31.13.89.0/24
    31.13.90.0/24
    31.13.91.0/24
    31.13.92.0/24
    31.13.93.0/24
    31.13.94.0/24
    31.13.95.0/24
    69.171.253.0/24
    69.63.186.0/24
    204.15.20.0/22
    69.63.176.0/20
    69.63.176.0/21
    69.63.184.0/21
    66.220.144.0/20
    69.63.176.0/20

    make an alias, - block list

    source:http://stackoverflow.com/questions/11164672/list-of-ip-space-used-by-facebook

    From what i read, what i tryied, you can' filter https content in transparent proxy ( if u are using squid).

    1. install squid and squidguard

    you can block everthing you want but not https:

    http://doc.pfsense.org/index.php/Setup_Squid_as_a_Transparent_Proxy

    block or allow in categories. Create a special category that you want to block: all social network. ( put inside facebook.com twitter.com youtube.com ) . Read documentation […]

    1. add an alias in firewall settings - ex: facebook and block it in rules.

    That-s it. And take a look how the address are written  / 24  /19.

    Spor!



  • You can also set up DNS with OpenDNS or DynDNS and they have settings within their service to block social media and other things that it might be a pain to do inside a firewall.



  • Or you could always put up (wildcard) domain overrides on the dns forwarder to 127.0.0.1.



  • here is the latest view admin panel about blocking facebook

    http://img.ctrlv.in/img/521c47f65b870.png

    http://img.ctrlv.in/img/521c480e5be4e.png

    do i need put more facebook IPS and CIDR ?

    i am using squid and squidguard.

    how i will able to make an alias ? i am newbie lil

    thank you



  • You are never going to get there this way…
    Please give the DNS option a shot.



  • 1 - Only if u want to block all :) facebook ip address

    2. First picture show how facebook is blocked by squidguard categories: so all page from facebook.com are blocked.

    2. rest block by ip

    Spor la treaba!








  • @kejianshi:

    You are never going to get there this way…
    Please give the DNS option a shot.

    ok.. try it ..

    but ..  https://de-de.facebook.com/‎

    Bienvenido a Facebook en Español (España)!
    https://es-es.facebook.com/‎

    are working if u put by dns? yes it works. so you want to put all subdomain?

    Ofcourse you now that subdomain.facebook.com is not the same like facebook.com



  • here is the DNS shot

    and computers DNS i put  192.168.1.253 (my pfsense ip)

    http://img.ctrlv.in/img/521c8ea0ea25e.png

    any idea ?

    thanks



  • Yeah - get yourself a free opendns account or DynDNS account.  Set up the dynamic DNS client in the pfsense menu.  Then put the DNS server IPs for the free account you set up in there in place of the IPs you currently have.  Uncheck the "Allow DNS list to be overridden" block.  Save that.  Then go into either the opendns account or DynDNS account you set up online.  Login.  Change your DNS options to filter whatever you like.

    Next, you will have to make sure that all of your client machines use ONLY pfsense to get their DNS.  That is done from the settings on each machine separately.  After all this is working, you can set up some rules that block the clients from getting to port 53 on any machine other than pfsense.

    GruensFroeschli also mentioned DNS overrides.  Not sure what he had in mind, but his idea may also be doable.



  • kejianshi i did what you say and now it works.

    thank you guys!



  • Ahhhh - Good.  I did write up how to do that a while ago, but virtually no one even looked at it.  I figured there was no interest.
    Yeah.  It worked for me too that way, but I really don't need the filtering now so I just run straight untampered DNS these days.



  • @kejianshi:

    GruensFroeschli also mentioned DNS overrides.  Not sure what he had in mind, but his idea may also be doable.

    On the DNS forwarder page you can create a wildcard override as described here.
    http://doc.pfsense.org/index.php/Wildcard_Records_in_DNS_Forwarder

    If you override *.facebook.com to 127.0.0.1 this should essentially block facebook.



  • Would it be possible to override them and redirect to a specified HTTPS page that says something like "That page isn't allowed" or whatever?



  • Sure. As long as the webserver to which you resolve the domain to provides a page for this domain.



  • I was thinking maybe such a page could be rolled into a package for pfsense somewhere, perhaps in an add on package.  The idea being that you could use such a DHCP redirect to catch all the filtering that squid based filtering misses - pretty much just the https stuff.  Having a block/filter terminate in a pretty page makes admins smile.

    I suppose such a page might even have to rest on the open web if 443 was already in use on pfsense.

    Maybe just something that says "I'm sorry - Your administrator doesn't allow access to this site"

    Followed by a series of banner ads to pay for bandwidth.  haha



  • I realize this is a fairly dead thread, but it was one that came up when I was googling the topic.

    My solution was a cross between a number of the ones given.

    I made a wildcard DNS for the site youtube.com and pointed it to one youtube server:  74.125.230.167
    (look up a current server instead of using this IP)

    We have a rule to block https to that ip, and then we use squid-guard to limit youtube access during working-hours.

    That seems to be working for the moment.

    the down-side is that we will need to update our rules if that particular youtube server goes down…



  • Also ignoring that you broke HTTPS in the process. You can't proxy HTTPS without breaking its security. Many exploits have been done around this, like forcing Windows update to install Malware. Amazing what you can do when you tell clients to trust fake CAs.


Log in to reply