How to block a website?

[Deleted member 2077]

I have FreeBSD as a router with natd/ipfw. That works wonderfully, but would like to block some websites on the network layer.

What is the easiest way to block a website?

I tried this, but didn't work:

ipfw add deny tcp from any to badwebsite.com

Some sites have multiply ips, so add them manually for each one.

 

[graudeejs]

You need proxy

 

[wblock@]

Advertising domains can be blocked in DNS, either in /etc/hosts or with BIND.

That can also be somewhat effective if you're trying to prevent use of certain domains, but can be bypassed by using IP addresses.

 

[_martin]

Well, generally speaking that's tough to do. Because even if you block it, user can use outside proxy to bypass it. Putting effort to detect if user is using proxy is kind of wasting of resources too. That can be, for example, bypassed by using tunnel somewhere out.

Proxy (at your site) is a good start, but don't rely on it too much.

 

[Deleted member 2077]

I guess I should of said 'block all traffic to outside ip' since I got answer on everything but what I was asking.

Transparent proxy isn't allowed. Manual proxy is disabled (and they won't use it any way).
They can easily get to other ports (which is our concern), not just 80.
host/dns is easy to get around. In fact, it has ip hardcoded if dns fails.

If they tunnel/vpn, it's no longer our problem.


Anyway, here is the answer:
ipfw add 350 deny ip from any to 1.2.3.4

The reason it wasn't working is because it was higher than our keep state and pass all rules.
Putting it lower in the rules fixed it.

 

[fonz]

The reason it wasn't working is because it was higher than our keep state and pass all rules.

I assume you've done the smacking your forehead thing

Fonz

 

[SirDice]

Well, generally speaking that's tough to do. Because even if you block it, user can use outside proxy to bypass it.

Which is why you should block all outside access for clients. The only way they can browse the internet is via the corporate proxy.

Putting effort to detect if user is using proxy is kind of wasting of resources too. That can be, for example, bypassed by using tunnel somewhere out.

Windows clients can easily be prevented from changing their proxy settings by applying proper group policies (and removing the local administrator privileges for all users).

 

[_martin]

The only way they can browse the internet is via the corporate proxy.

Ok, but usually you need other ports to be opened too (due to business needs). Like port 22. Hard (too strong to use word impossible) to track all locations where this has to be opened. And even tracking the location doesn't necessary mean you are safe.

As I said, trying to block some web is next to impossible to do. You can try, you may partially succeed, but there is always somebody who finds the way out.