Can block Facebook FDQN but not Twitter



  • Hi. I successfully managed to block Facebook with the Firewall by blocking its alias containing the FDQNs "www.facebook.com" and "apps.facebook.com".
    Why is it that I can't block Twitter the same way with the FDQN "www.twitter.com"?

    My alias config is:

    -SocialNetworking
          -Facebook
                  -www.facebook.com
                  -apps.facebook.com
                  -m.facebook.com
          -Twitter
                  -www.twitter.com
                  -mobile.twitter.com

    And then I configured my firewall rules to block SocialNetworking on the LAN interface. You can tell it's working coz Facebook is successfully blocked, just not Twitter.
    Also, being the n00b that I am, I'm trying to avoid using proxy based blocking coz I had a hard time understanding how to block HTTPS plus making block schedules.



  • An easier way might be to install pfBlockerNG

    https://forum.pfsense.org/index.php?topic=95249.msg529907#msg529907

    (just add another rule for Twitter instead of Facebook)


  • Moderator

    @Exolon:

    An easier way might be to install pfBlockerNG

    https://forum.pfsense.org/index.php?topic=95249.msg529907#msg529907

    (just add another rule for Twitter instead of Facebook)

    Hurricane Electric has since blocked all non-humans from downloading those files.. :)

    You can still use pfBlockerNG, but use the ASN feature to collect those IPs.



  • Thanks guys. So what this does is it blocks the list of IPs? But isn't that already available in the Firewall itself, by making an alias containing the IPs?
    I tried that configuration for FB and it worked but I considered it a no-go coz blocking by IPs require constant updating right?

    @BBcan177:

    You can actually do both… In Unbound or dnsmasq, create a Domain override. Also use pfBlockerNG to download the most recent IPs automatically daily/weekly as required. Hurricane Electric is a great source to collect IPs for almost any site.

    Oh so it updates the list automatically?


  • Moderator

    @gbreadman:

    Thanks guys. So what this does is it blocks the list of IPs? But isn't that already available in the Firewall itself, by making an alias containing the IPs?
    I tried that configuration for FB and it worked but I considered it a no-go coz blocking by IPs require constant updating right?

    Thats what pfBlockerNG does… Its an IP list manager... So you can update per hour/day/week etc to keep the aliastable upto date... So use the ASN feature to get those IPs and auto update the aliastable.

    https://forum.pfsense.org/index.php?topic=86212.0
    https://forum.pfsense.org/index.php?topic=102470.0



  • This looks like the solution for my problem, so thanks! (tho still haven't tested it lol).

    But I'm still curious; isn't my original config supposed to work? what could be the problem?


  • Moderator

    @gbreadman:

    This looks like the solution for my problem, so thanks! (tho still haven't tested it lol).

    But I'm still curious; isn't my original config supposed to work? what could be the problem?

    With FQDN, it just pulls a small number of IPs for the domain:

    drill www.twitter.com
    

    You could use the DNS Resolver/Forwarder, and nxdomain those domain names also.. but users can get around that by using the literal IP address as it doesn't need to resolve the address…



  • @BBcan177:

    With FQDN, it just pulls a small number of IPs for the domain

    Ah so that might be it…

    @BBcan177:

    but users can get around that by using the literal IP address as it doesn't need to resolve the address…

    ..pretty sure there was a checkbox which prevents users from using the literal IP add. :D



  • Alias Name: SocialNetworking
    IPv4 Lists:

    -Format: Whois
    -State: ON
    -Source: facebook.com

    -Format: Whois
    -State: ON
    -Source: twitter.com

    and no other config… I've also forced update/cron...
    The IP count total is only 5. I'm pretty sure it should be much more, esp. there's two sites.
    Tested it, both aren't blocked..?


  • Moderator

    :) You basically did the same as the pfSense alias… When you use a FQDN, it just pulls a small amount of IPs... Use ASNs instead:

    facebook.com  AS63293 AS54115 AS32934
    twitter.com    AS23028

    ASN Lookup:
    https://asn.cymru.com/



  • Yea, already figured how to use it, but currently using just ASNs and already got it working.. 'will still add facebook.com and twitter.com just in case..
    So uh, what else can I say? You did a reaaally nice job on this package! ^^ (altho being a networking newbie, I still have a lot to learn to maximize tweaking capabilities haha)

    But one more thing, how do I disable the auto-creation of rules while still being able to use the auto updated alias tables? Coz that's all I need for now. Thanks again!


  • Moderator

    You can define the "Action" as an "Alias type", then it will just populate the aliastable. You can define the firewall rules referencing this table along with what ever settings you require for the firewall rules.

    Thanks!



  • Oh. Looks like someone's not paying attention.. lol. Thanks!!

    Edit: I am trying to experiment on alias table creation (will later move this topic).. Here's the situation:

    I managed to set up a captive portal with user authentication (non-RADIUS) and voucher support.
    Since this is a company network, we need to be able to separate employees from guests; Account logins be considered as employees, while voucher users are guests.

    Now, to prevent the employees from surfing the net for their personal interests, we need to block them on the firewall..
    I have successfully made block rules but so far, they are only good for blocking EVERYONE; The guests are prohibited from surfing the net as well.
    How do we solve this without using VLANs or multiple Captive Portals?
    I came upon the solution of adding account logins into an alias and make a block rule with this alias as the Source. (n00b question: Is what I'm saying correct? lol)

    IF I understood correctly, it is possible to use pfBlockerNG IPv4 List feature to load a local file containing IP or MAC addresses and refresh the list from time to time.
    We can then use this alias to apply rules for the addresses on the list.
    We can add their addresses on the list by configuring the captive portal to write them on the local file for every login.
    (Yet another n00b question: Am I right so far? aha)

    Now, where I need the most help with is how to be able to REMOVE addresses from the list once the users disconnect.

    OR if there is a better approach on this situation (coz really, I'm super new and I can only exercise what I know so far) xD