It is possible to block a site by domain name? for example: REJECT loc net:www.domin1.com tcp 443 REJECT loc net:www.domin2.com tcp 80 It can be IP, but at the same wonder if you can just by domain name. Grettings!! -- I.S.C. William López Jiménez -- User Linux # 379636 MSN wljkoala23@hotmail.com Jabber koalasoft@jabber.org Web: www.koalasoftmx.tk Twitter: @koalasoft Facebook: william.koalasoft ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 12/07/12 08:50, I.S.C. William wrote:> It is possible to block a site by domain name? > > for example: > > REJECT loc net:www.domin1.com <http://www.domin1.com> tcp 443 > REJECT loc net:www.domin2.com <http://www.domin2.com> tcp 80 > > It can be IP, but at the same wonder if you can just by domain name.You can do this, but it is not recommended because: 1. The name is resolved to an IP address on startup, and after that only the IP is used. So if the site changes addresses, this will become ineffective until you restart shorewall. 2. If you don''t have working DNS resolution on startup, shorewall will fail to start. Because of this, you''re much better off redirecting all browsing through a local proxy and blocking it there with squidGuard, Dan''s Guardian, or something similar. Paul ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Ok, I understand and thank you very much. the main reason is I need to block Google''s domains, such as YouTube, and Google Drive, as these have the same IP with different types of subdomain. I can not do by proxy as this does not handle https ports, therefore you have to be by shorewall. And also mentioned that I can not block the IP of google let alone the https port to block the Google Drive and youtube sites by 443. If you have a better idea I could comment please .. Greetings! 2012/7/11 Paul Gear <paul@gear.dyndns.org>> On 12/07/12 08:50, I.S.C. William wrote: > > It is possible to block a site by domain name? > > > > for example: > > > > REJECT loc net:www.domin1.com <http://www.domin1.com> tcp > 443 > > REJECT loc net:www.domin2.com <http://www.domin2.com> tcp > 80 > > > > It can be IP, but at the same wonder if you can just by domain name. > > You can do this, but it is not recommended because: > > 1. The name is resolved to an IP address on startup, and after that only > the IP is used. So if the site changes addresses, this will become > ineffective until you restart shorewall. > > 2. If you don''t have working DNS resolution on startup, shorewall will > fail to start. > > Because of this, you''re much better off redirecting all browsing through > a local proxy and blocking it there with squidGuard, Dan''s Guardian, or > something similar. > > Paul > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today''s security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- I.S.C. William López Jiménez -- User Linux # 379636 MSN wljkoala23@hotmail.com Jabber koalasoft@jabber.org Web: www.koalasoftmx.tk Twitter: @koalasoft Facebook: william.koalasoft ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
I.S.C. William wrote:>the main reason is I need to block Google''s domains, such as >YouTube, and Google Drive, as these have the same IP with different >types of subdomain. > >I can not do by proxy as this does not handle https ports, therefore >you have to be by shorewall.You could try doing it in DNS. Run your own DNS server, and <by whatever means> block it from returning an address for the sites you want to block. You''ll need to block access to any other DNS so people can''t just use an outside server. Some firewalls also have an option to intercept DNS traffic passing through, and run all queries past a block list provided by a vendor or 3rd party. Usually this is to restrict access to inappropriate content (eg in schools), but I''d expect there to be an option to manually add entries. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> Ok, I understand and thank you very much. > > the main reason is I need to block Google''s domains, such as YouTube, > and Google Drive, as these have the same IP with different types of > subdomain. > > I can not do by proxy as this does not handle https ports, therefore you > have to be by shorewall. > And also mentioned that I can not block the IP of google let alone the > https port to block the Google Drive and youtube sites by 443. > > If you have a better idea I could comment please .. > > Greetings! >I never try but seems to work with Squid http://blog.davidvassallo.me/2011/03/22/squid-transparent-ssl-interception/ You can´t block using IP address because sites have a lot of IPs arround the world. A proxy like Squid is a good solution for this. Best regards. -- Emiliano Vazquez | PcCentro Informatica & CCTV Office: +54 (11) 4951-0203 Interno 4 Movil: 011-15-6253-7165 Mail: emilianovazquez@gmail.com Web: http://www.pccentro.com.ar ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Indeed it can be done with Squid Proxy even so I have my filters, the detail is that Proxy can not control the safe harbor traffic (https) so this should be done by Firewall. So my questions about how to block those sites. Greetings! 2012/7/12 Emiliano Vazquez <emilianovazquez@gmail.com>> > Ok, I understand and thank you very much. > > > > the main reason is I need to block Google''s domains, such as YouTube, > > and Google Drive, as these have the same IP with different types of > > subdomain. > > > > I can not do by proxy as this does not handle https ports, therefore you > > have to be by shorewall. > > And also mentioned that I can not block the IP of google let alone the > > https port to block the Google Drive and youtube sites by 443. > > > > If you have a better idea I could comment please .. > > > > Greetings! > > > > I never try but seems to work with Squid > http://blog.davidvassallo.me/2011/03/22/squid-transparent-ssl-interception/ > > You can´t block using IP address because sites have a lot of IPs arround > the world. > > A proxy like Squid is a good solution for this. > > Best regards. > > -- > Emiliano Vazquez | PcCentro Informatica & CCTV > Office: +54 (11) 4951-0203 Interno 4 > Movil: 011-15-6253-7165 > Mail: emilianovazquez@gmail.com > Web: http://www.pccentro.com.ar > > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today''s security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- I.S.C. William López Jiménez -- User Linux # 379636 MSN wljkoala23@hotmail.com Jabber koalasoft@jabber.org Web: www.koalasoftmx.tk Twitter: @koalasoft Facebook: william.koalasoft ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 13/07/12 00:36, I.S.C. William wrote:> Indeed it can be done with Squid Proxy even so I have my filters, the > detail is that Proxy can not control the safe harbor traffic (https) so > this should be done by Firewall. > > So my questions about how to block those sites.The DNS method Simon suggested is probably not workable if you have some people who need access to Google and some who don''t. Although a solution like OpenDNS might allow you that flexibility. The best option is proxy. HTTPS can be safely proxied. It can also be filtered at the proxy. The only thing you can''t do is see the URLs being accessed on HTTPS sites. All you can do is block or allow the site. So my suggestion is: 1. Do not allow HTTPS out directly. i.e. block loc2net (or whatever your local zone is called) for HTTPS. 2. Force all network devices to access HTTPS sites via proxy. 3. Use proxy to block or allow sites as needed. Another (overkill) option is to find the netblock used by Google at your location (e.g. mine is 74.125.0.0/16 for google.com, 173.194.0.0/16 for gmail.com, etc.) and DROP/REJECT traffic to the whole netblock. Paul ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Thanks Paul You have given me an idea, but I can see the ranges that use that domain as you show me? thks for help !! 2012/7/13 Paul Gear <paul@gear.dyndns.org>> On 13/07/12 00:36, I.S.C. William wrote: > > Indeed it can be done with Squid Proxy even so I have my filters, the > > detail is that Proxy can not control the safe harbor traffic (https) so > > this should be done by Firewall. > > > > So my questions about how to block those sites. > > The DNS method Simon suggested is probably not workable if you have some > people who need access to Google and some who don''t. Although a > solution like OpenDNS might allow you that flexibility. > > The best option is proxy. HTTPS can be safely proxied. It can also be > filtered at the proxy. The only thing you can''t do is see the URLs > being accessed on HTTPS sites. All you can do is block or allow the site. > > So my suggestion is: > 1. Do not allow HTTPS out directly. i.e. block loc2net (or whatever your > local zone is called) for HTTPS. > 2. Force all network devices to access HTTPS sites via proxy. > 3. Use proxy to block or allow sites as needed. > > Another (overkill) option is to find the netblock used by Google at your > location (e.g. mine is 74.125.0.0/16 for google.com, 173.194.0.0/16 for > gmail.com, etc.) and DROP/REJECT traffic to the whole netblock. > > Paul > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today''s security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- I.S.C. William López Jiménez -- User Linux # 379636 MSN wljkoala23@hotmail.com Jabber koalasoft@jabber.org Web: www.koalasoftmx.tk Twitter: @koalasoft Facebook: william.koalasoft ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 13/07/12 22:23, I.S.C. William wrote:> Thanks Paul > > You have given me an idea, but I can see the ranges that use that domain > as you show me? > > thks for help !!I presume that Google advertises the same netblock out through different ISPs via BGP, but there may be some parts of the world where they don''t do that. I don''t know how their setup works, so you should verify the ranges for yourself. I used ''host google.com'' and ''host gmail.com'' to find the addresses, then did a whois on those IPs. Paul ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/