Welcome, Guest. Please login or register.
Did you miss your activation email?
Thursday 14 November 2024, 02:05:17 pm

Login with username, password and session length

Download the latest community FREE version  HERE
14255 Posts in 4377 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  EFW SMTP, HTTP, SIP, FTP Proxy Support
| | |-+  Blocking https://www.facebook.com - a work around
0 Members and 2 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Blocking https://www.facebook.com - a work around  (Read 32117 times)
hickmanr
Full Member
***
Offline Offline

Posts: 17


« on: Tuesday 15 March 2011, 06:38:05 am »

This article describes how to block HTTPS (port 443 - SSL) content and other categories or your own custom lists.

In the case of Facebook I can block facebook with EFW unless a student uses HTTPS (port 443 - SSL) to connect to it. However, OpenDNS will block the DNS request regardless of what EFW does. You can get to P.l.ayb.oy using HTTPS as well and EFW will not block it.

My solution:  point the EFW DNS setting in network configuration to OpenDNS.

Open DNS isn't too bad to setup. First, go to the OpenDNS (.com) website and create account, which is free. They do have a pay for option with more features, which I haven't needed yet.

You'll have to add the public IP address of your EFW that will be making the requests. OpenDNS will need to send you an e-mail to verify the address and such. I've had to send their help desk e-mail explaining that my e-mail server lives at a different IP, which they've accommodated for me pretty easily. It just takes a little extra time.

Once you get your network added you can start changing the settings for it on the OpenDNS website. It is pretty straight forward. You can block categories and set custom black and white lists. They allow a little bit of customizing to your blocked paged, I added our school's logo to it.

For this example, the only category needed to be blocked is “Social Networking.”  I also recommend blocking “Proxy/Anonymizer.” For our needs I also blocked 13 other categories.

Once you get your account created and some settings taken care of walk through the "Network Configuration" wizard on the "System" tab of EFW and set the DNS to point at OpenDNS, which you can find the IPs for on the bottom of the OpenDNS website. Or, if you prefer you can point the DNS settings on your computer at OpenDNS, which only makes sense for testing purposes.

Test it.

Hope this helps.
Logged
rosch
Full Member
***
Offline Offline

Gender: Male
Posts: 20



« Reply #1 on: Wednesday 16 May 2012, 04:44:45 am »

I agree using more than one "filtering device" is the way to go.

I also think your title is a bit misleading: I was hoping to find a way to block https on efw itself  Smiley

I'll post back as soon as I have a solution to this.
Logged
hickmanr
Full Member
***
Offline Offline

Posts: 17


« Reply #2 on: Wednesday 16 May 2012, 04:52:31 am »

The title says "a work around." That isn't misleading.

I look forward to seeing your solution.
Logged
rosch
Full Member
***
Offline Offline

Gender: Male
Posts: 20



« Reply #3 on: Wednesday 16 May 2012, 08:03:26 am »

The title says "a work around." That isn't misleading.

Well your solution is taking away the scheduling that's available in efw.
Don't get me wrong, OpenDNS is great and I've been using it for quite some time  Smiley

I look forward to seeing your solution.

After some digging the only robust and convenient solution seems to be blocking by IP addresses:
- robust because DNS can be bypassed if you get hold of the IP.
- convenient because using the endian proxy blocklists you can schedule the blocking, e.g. have webmail domains open only for an hour at noon.
  Also, you have to whitelist these domains on OpenDNS.

That should be an ok solution.
I'll test this with a cron script to get the IP addresses from a domain list file; those addresses are then to be blocked by endian's dansguardian.
Running that script once a week might be sufficient because the addresses should not change too often..but that's only a wild guess. The frequency can be determined later some time.

EDIT: the contentfilter really doesn't care about https so an IP list is here not of much help. The IP list has to be stuffed in an outgoing firewall rule.
Unfortunately there does not seem to be a schedule for these. A cronjob with an iptables command should be a viable solution.
Logged
kashifmax
Sr. Member
****
Offline Offline

Gender: Female
Posts: 108


« Reply #4 on: Tuesday 22 May 2012, 08:33:37 pm »

See also this
http://www.efwsupport.com/index.php?topic=525.15
Logged
rosch
Full Member
***
Offline Offline

Gender: Male
Posts: 20



« Reply #5 on: Tuesday 22 May 2012, 08:40:33 pm »

Thanks for the heads-up. I've come across that thread Smiley

With the outgoing firewall enabled to block SSL IP addresses, the not so nice part is that when the user actually tries to go there, the connection just times out which is less precise than a block webpage telling about why you cannot go there.
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.063 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com