I configured HTTPS introducion but people still go HTTPS facebook
-
here is the latest view admin panel about blocking facebook
http://img.ctrlv.in/img/521c47f65b870.png
http://img.ctrlv.in/img/521c480e5be4e.png
do i need put more facebook IPS and CIDR ?
i am using squid and squidguard.
how i will able to make an alias ? i am newbie lil
thank you
-
You are never going to get there this way…
Please give the DNS option a shot. -
1 - Only if u want to block all :) facebook ip address
2. First picture show how facebook is blocked by squidguard categories: so all page from facebook.com are blocked.
2. rest block by ip
Spor la treaba!
-
You are never going to get there this way…
Please give the DNS option a shot.ok.. try it ..
but .. https://de-de.facebook.com/
Bienvenido a Facebook en Español (España)!
https://es-es.facebook.com/are working if u put by dns? yes it works. so you want to put all subdomain?
Ofcourse you now that subdomain.facebook.com is not the same like facebook.com
-
here is the DNS shot
and computers DNS i put 192.168.1.253 (my pfsense ip)
http://img.ctrlv.in/img/521c8ea0ea25e.png
any idea ?
thanks
-
Yeah - get yourself a free opendns account or DynDNS account. Set up the dynamic DNS client in the pfsense menu. Then put the DNS server IPs for the free account you set up in there in place of the IPs you currently have. Uncheck the "Allow DNS list to be overridden" block. Save that. Then go into either the opendns account or DynDNS account you set up online. Login. Change your DNS options to filter whatever you like.
Next, you will have to make sure that all of your client machines use ONLY pfsense to get their DNS. That is done from the settings on each machine separately. After all this is working, you can set up some rules that block the clients from getting to port 53 on any machine other than pfsense.
GruensFroeschli also mentioned DNS overrides. Not sure what he had in mind, but his idea may also be doable.
-
kejianshi i did what you say and now it works.
thank you guys!
-
Ahhhh - Good. I did write up how to do that a while ago, but virtually no one even looked at it. I figured there was no interest.
Yeah. It worked for me too that way, but I really don't need the filtering now so I just run straight untampered DNS these days. -
GruensFroeschli also mentioned DNS overrides. Not sure what he had in mind, but his idea may also be doable.
On the DNS forwarder page you can create a wildcard override as described here.
http://doc.pfsense.org/index.php/Wildcard_Records_in_DNS_ForwarderIf you override *.facebook.com to 127.0.0.1 this should essentially block facebook.
-
Would it be possible to override them and redirect to a specified HTTPS page that says something like "That page isn't allowed" or whatever?
-
Sure. As long as the webserver to which you resolve the domain to provides a page for this domain.
-
I was thinking maybe such a page could be rolled into a package for pfsense somewhere, perhaps in an add on package. The idea being that you could use such a DHCP redirect to catch all the filtering that squid based filtering misses - pretty much just the https stuff. Having a block/filter terminate in a pretty page makes admins smile.
I suppose such a page might even have to rest on the open web if 443 was already in use on pfsense.
Maybe just something that says "I'm sorry - Your administrator doesn't allow access to this site"
Followed by a series of banner ads to pay for bandwidth. haha
-
I realize this is a fairly dead thread, but it was one that came up when I was googling the topic.
My solution was a cross between a number of the ones given.
I made a wildcard DNS for the site youtube.com and pointed it to one youtube server: 74.125.230.167
(look up a current server instead of using this IP)We have a rule to block https to that ip, and then we use squid-guard to limit youtube access during working-hours.
That seems to be working for the moment.
the down-side is that we will need to update our rules if that particular youtube server goes down…
-
Also ignoring that you broke HTTPS in the process. You can't proxy HTTPS without breaking its security. Many exploits have been done around this, like forcing Windows update to install Malware. Amazing what you can do when you tell clients to trust fake CAs.