How do i block gtalk and other massengers
-
I have recently installed Pfsense in my office. and i have created some groups I want to block Gtalk,facebook,msn massengers one of group so that nobody can chat in that group using Gtalk ,facebook msn either using the desktop software or within their gmail.com,facebook accounts. Can anybody suggest me how to block it?
-
Most of them use HTTPS. You can't.
-
thanks for your replay
I have done port blocking all the ports or blocked. I have enabled only 3128 port.
-
It doesn't seem like you have successfully blocked all ports except 3128.
-
thanks for your replay
I have done port blocking all the ports or blocked. I have enabled only 3128 port.Can as well cut off the wire… ::)
-
Check out OpenDNS - If you can get all your clients using pfsense for DNS and load a OpenDNS account on pfsense in the dynamic DNS settings and you configure OpenDNS account to block those things you will probably get good(ish) results.
-
Why did you start another thread?!
http://forum.pfsense.org/index.php/topic,66761.0.html
-
I typed a huge thread on using DNS with either OpenDNS or DynDNS to do this some time back. So, since the forums are searchable, should be able to find it. I'd hate to retype that big thing again :'(
-
@KurianOfBorg:
Most of them use HTTPS. You can't.
That's not true in some circumstances.
squid as proxy and squidguard/dansguardian as proxy filter can help you blicking websites on port 80 and 443. Blocking on port 80 works fine with squid in transparent mode but not so easy with 443 (https). If you want to filter 443 (https) you need to run squid2.x in non-transparent mode and block port 80 and 443 on LAN and just allow 3128 AND put the proxy config into the webbrowsers configuration.
https can be intercepted with new squid3-dev which uses squid 3.3.x. This version allows intercepting port 80 and port 443 traffic.
Alls other tools and chat programs which are using different ports than 80 and 443 must be filtered by your firewall rules.
Redirect all DNS traffic to internal DNS Forwarder:
Just create a NAT rule on the LAN interface which redirects als destination port 53 traffic to the pfsense loopback address (127.0.0.1). Then no matter which DNS server the clients have configured will be redirected to the pfsense interface and then will use the DNS servers you have configured on pfsense General Setup.There are other discussions on the forum which talk about NTP redirection which will also work with DNS. They are talking also about Outbound NAT rules but as far as I know no need to use them if destination address in the NAT rule is 127.0.0.1
Good luck!
-
I'd go with Kejianshi's idea. Though for social media sites, I'd block every purchased IP range they own, thus blocking both site and chatting features…
Google's DNS names for messaging services:
https://support.google.com/chat/answer/161980?hl=enrestrict access to use only your DNS servers:
https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers -
@heavy1metal:
I'd go with Kejianshi's idea. Though for social media sites, I'd block every purchased IP range they own, thus blocking both site and chatting features…
Google's DNS names for messaging services:
https://support.google.com/chat/answer/161980?hl=enrestrict access to use only your DNS servers:
https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolversRegarding the link to the "blocking DNS" entry on the wiki:
This: http://www.interspective.net/2012/07/pfsense-ntp-and-network-sneakery.html
Can be applied to DNS too.
I enable this "feature" sometimes for my girlfriend for facebook when she has to study.
The rule to block facbook would look something like this:address=/facebook.com/62.112.159.61The relevant page in the wiki for this is: https://doc.pfsense.org/index.php/Wildcard_Records_in_DNS_Forwarder
