Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Raises hand, network wins this time.

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Capt.Michaels
      last edited by

      I'm such a newb. I've tried blocking certain websites, (myspace, etc) in LAN, WAN, any source, protocol. I was a good egg and read ton-o-posts, links, general forum->repeated questions, post by hoba and so much more. I swear I followed to the "T" what was told to do in each instance. I configured on router and tests failed on clients. I cannot figure it. What book do I have to go buy and learn something or my next step? I hate getting whipped, but I raise my hands up, I'm beaten, please help.  :-[

      Never stop learning.

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        Your best bet is try out the SquidGUARD package.   Blocking websites can be tedious because a lot of times a website has multiple ip addresses and they can change depending on if the hoster has load balancing, etc..

        For example, take a look at www.google.com:

        scott-ullrichs-mac-pro:~ sullrich$ dig www.google.com @10.0.0.65

        ; <<>> DiG 9.4.1-P1 <<>> www.google.com @10.0.0.65
        ; (1 server found)
        ;; global options:  printcmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24580
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

        ;; QUESTION SECTION:
        ;www.google.com. IN A

        ;; ANSWER SECTION:
        www.google.com. 1301 IN CNAME www.l.google.com.
        www.l.google.com. 300 IN A 74.125.47.147
        www.l.google.com. 300 IN A 74.125.47.104
        www.l.google.com. 300 IN A 74.125.47.103
        www.l.google.com. 300 IN A 74.125.47.99

        ;; Query time: 54 msec
        ;; SERVER: 10.0.0.65#53(10.0.0.65)
        ;; WHEN: Fri May  2 17:12:35 2008
        ;; MSG SIZE  rcvd: 116

        Notice all of the A records pointing to 4 different IP addresses.

        Now watch what happens when I query a different name server:

        scott-ullrichs-mac-pro:~ sullrich$ dig www.google.com @10.0.0.11

        ; <<>> DiG 9.4.1-P1 <<>> www.google.com @10.0.0.11
        ; (1 server found)
        ;; global options:  printcmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40747
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

        ;; QUESTION SECTION:
        ;www.google.com. IN A

        ;; ANSWER SECTION:
        www.google.com. 1333 IN CNAME www.l.google.com.
        www.l.google.com. 268 IN A 74.125.47.104
        www.l.google.com. 268 IN A 74.125.47.103
        www.l.google.com. 268 IN A 74.125.47.99
        www.l.google.com. 268 IN A 74.125.47.147

        ;; Query time: 44 msec
        ;; SERVER: 10.0.0.11#53(10.0.0.11)
        ;; WHEN: Fri May  2 17:13:07 2008
        ;; MSG SIZE  rcvd: 116

        See the different IP address in there?   It gets rather tedious to add all of these IP addresses to the LAN block rules to enforce blockage.   Using SquidGUARD shifts the burden to the protocol level.

        Hope this helps.

        1 Reply Last reply Reply Quote 0
        • P
          Perry
          last edited by

          A few days ago this was posted

          Another option is to use www.Opendns.com  I also only allow my dns servers to access 53 to the WAN so users cannot circumvent dns filtering

          /Perry
          doc.pfsense.org

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            @Perry:

            A few days ago this was posted

            Another option is to use www.Opendns.com  I also only allow my dns servers to access 53 to the WAN so users cannot circumvent dns filtering

            Yes, I keep forgetting about OpenDNS's extra features (I use it only for DNS with no blocking at home).  That would be perfect for you, give it a try.

            1 Reply Last reply Reply Quote 0
            • C
              Capt.Michaels
              last edited by

              Wow..thanks guys. I see what you mean about multiple IP's. Try not to laugh to hard, but imagine before this post a newb like me pecking away at work putting 15 Ip's for one site I did :-[

              I will try the SquidGaurd and the OpenDNS. Oh man…talk about feeling spanked, but I refuse to quit...Heh. You guys rock.

              Never stop learning.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.