Myspace / Facebook / Instant Messaging

[heather22]

Good Evening,
I would like to know if there a way to block access to Facebook and Myspace as well as instant messaging. I tried to block myspace.com before and it only blocked it that one way leaving countless other ways to access it. Same with Facebook. Others like meebo.com and koolim.com are much of a pest as well.
This has been a real problem and would like a solution using Gargoyle please.
Thank you very much.

[Eric]

Sorry for taking a while to respond to this, but I've been out of town with sporadic internet access.

I suspect the problem is that you can't block encrypted (https) connections by domain name. The connection is encrypted so you can't tell whether you're connecting to a given site.

Try doing an nslookup to determine the ip(s) of the sites you want to block. For example, if I run:

Code: Select all

$nslookup facebook.com

I get:

Code: Select all

Non-authoritative answer:
Name:	facebook.com
Address: 69.63.181.11
Name:	facebook.com
Address: 69.63.181.12
Name:	facebook.com
Address: 69.63.184.142
Name:	facebook.com
Address: 69.63.187.17
Name:	facebook.com
Address: 69.63.187.19

You could just block those ips, but big sites like facebook control a large block of ip addresses, and this could change. Here's a trick you can use to address that. Do a whois on one of the above ip addresses, and it will often tell you what the exact range is.

Code: Select all

$whois 69.63.181.11

OrgName:    Facebook, Inc.
OrgID:      THEFA-3
Address:    156 University Ave, 3rd floor
City:       Palo Alto
StateProv:  CA
PostalCode: 94301
Country:    US

NetRange:   69.63.176.0 - 69.63.191.255
CIDR:       69.63.176.0/20
OriginAS:   AS32934
...

I just included the top portion of the whois result since that's the important part. It tells you that Facebook owns the 69.63.176.0/20 subnet. Block that, and you block facebook. Problem solved!

You can use the same tactic to lookup myspace.com as well. Actually, I'll save you some time: there are two subnets you should block for myspace, 16.178.32.0/20 and 63.135.80.0/20

[DoesItMatter]

Eric or anyone else that has setup blocks like this.

Can you put up examples or show how to do this?

I've not done this myself yet, but it looks interesting.

I'd like to figure out how to setup blocks, then try and break
my own blocks!

That way, we can take some pre-emptive strikes against people
trying to bypass this stuff and catch it before it happens

[florachan]

I haven't tried it but I think "opendns" offer social networking block.

cheers,
Flora

[fra&co]

yes but u need to force hosts to contact dns through the router otherwise people can set static custom dns on their host machines

in ohter words u must block 53 udp output and use router/gateaway ip as dns

[remote]

Can this not be done with dns? If one routs facebook.com to 192.168.1.1 this would even work for https. But I see gargoyle does not have this feature maybe it could be implemented in future version of gargoyle.

[throughwalls]

Can this not be done with dns? If one routs facebook.com to 192.168.1.1 this would even work for https. But I see gargoyle does not have this feature maybe it could be implemented in future version of gargoyle.

You can force this for all users of the router by editing the /etc/hosts file manually. This is not an option through the GUI

[anxname]

so, here is the solution how to block HTTPS Sites:

viewtopic.php?f=5&t=8185&p=42649#p42649


-------
Edit: removed duplicate - Lantis