I actually understand what you meant by blocking IP Addresses and that
facebook.com will always automatically change the user path to the closest
and accessible servers, not to mention their QOS. That is why I also always
get different IP Addresses for each ping. Maybe my reply was not correct.
Right now I did what you said as "hiding the phone book" since there is only
one phone book in the company :). But great suggestion on blocking the CIDR.
I will try that :) I did not read the information on whois correctly.
From: Lee Sharp [mailto:leesharp at hal dash pc dot org]
Sent: Friday, October 09, 2009 12:16 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] How to block a certain website with m0n0wall?
GD Incorporation wrote:
> Dear Lee
> I did like what you wrote below. I went to whois.com and find info on
> facebook.com domain and found that they used 4 dns servers. I was
> thinking to block the DNS servers thinking that all access that goes
> through that server will be rejected. But you are right if the DNS
> Servers are hosted to important business oriented servers such as
> GoDaddy, then it will be trouble.
> I hope m0n0wall have a feature to block a certain domain all at once.
> Now the next question, since the m0n0wall does not seem to be able to
> block one whole domain, if I put a real web portal such as
> dansguardian to filter what websites can be accessed, shoud I put it
> between ADSL modem and Firewall or should I put it behind firewall?
You are missing the point. You are trying to keep people out of a strip
club by hiding the phone book. And badly as well. The client PC does a DNS
request to m0n0wall, as that is the DNS server for the client PC.
Assuming you do not have www.facebook.com locally, m0n0wall will do a
request to the ISP DNS server. They in turn will look at an authoritative
name server, and eventually that will look at the facebook server. But the
client PC only ever looks to m0n0wall for name resolution.
What you need to block are IP addresses. If you ping facebook.com you will
get something close to 18.104.22.168, which was different from the last time
I pinged it. If you do an 'nslookup 22.214.171.124' you will see it is
www-10-03-ash1.facebook.com, or part of a cluster. If you do a 'whois
126.96.36.199' you get;
OrgName: Facebook, Inc.
Address: 156 University Ave, 3rd floor
City: Palo Alto
NetRange: 188.8.131.52 - 184.108.40.206
NetType: Direct Assignment
The important part is the CIDR whis is the netblock for all of facebook.
Blocking 220.127.116.11/20 will block facebook right now. It will not block
them if they move, and it may block other stuff for some. If you do that
with my company website you get;
OrgName: GoDaddy.com, Inc.
Address: 14455 N Hayden Road
Address: Suite 226
NetRange: 18.104.22.168 - 22.214.171.124
NetType: Direct Allocation
I do not work for GoDaddy.
So, yes you can do this quick and dirty in m0n0wall. To do it right, you
need a web filter of some kind.
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch