DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th June 2020
sabrina's Avatar
sabrina sabrina is offline
New User
 
Join Date: Jun 2020
Posts: 6
Question To block Facebook with PF

Hello, daemonforums!
I am using OpenBSD 6.7 on my desktop computer. I would like to block all facebook and it's button on other websites. I have been recommended to add these lines in my hosts file.
Code:
#Facebook Block
127.0.0.1 www.facebook.com
127.0.0.1 facebook.com
127.0.0.1 login.facebook.com
127.0.0.1 www.login.facebook.com
127.0.0.1 fbcdn.net
127.0.0.1 www.fbcdn.net
127.0.0.1 fbcdn.com
127.0.0.1 www.fbcdn.com
127.0.0.1 static.ak.fbcdn.net
127.0.0.1 static.ak.connect.facebook.com
127.0.0.1 connect.facebook.net
127.0.0.1 www.connect.facebook.net
127.0.0.1 apps.facebook.com
127.0.0.1 api.ak.facebook.com
127.0.0.1 api.connect.facebook.com
127.0.0.1 api.facebook.com
127.0.0.1 apps.facebook.com
127.0.0.1 ar-ar.facebook.com
127.0.0.1 badge.facebook.com
127.0.0.1 blog.facebook.com
127.0.0.1 connect.facebook.net
127.0.0.1 de-de.facebook.com
127.0.0.1 developers.facebook.com
127.0.0.1 es-la.facebook.com
127.0.0.1 external.ak.fbcdn.net
127.0.0.1 facebook.de
127.0.0.1 facebook.fr
127.0.0.1 fb.me
127.0.0.1 fbcdn.net
127.0.0.1 fr-fr.facebook.com
127.0.0.1 hi-in.facebook.com
127.0.0.1 it-it.facebook.com
127.0.0.1 ja-jp.facebook.com
127.0.0.1 login.facebook.com
127.0.0.1 profile.ak.fbcdn.net
127.0.0.1 pt-br.facebook.com
127.0.0.1 ssl.connect.facebook.com
127.0.0.1 www.facebook.de
127.0.0.1 www.facebook.fr
127.0.0.1 zh-cn.facebook.com
I do not like the idea of messing with my hosts file, I want to block those addresses in PF.
Can you help me with which PF rules I should use?
Thank you!
Reply With Quote
  #2   (View Single Post)  
Old 16th June 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,106
Default

Hello, and welcome!

Facebook's domains resolve to countless IP addresses. Unfortunately, PF only resolves domain names to one IPv4 and one IPv6 address, and only at the moment when rules that include them are loaded by pfctl(8), such as by rc(8) during boot, or when loading an anchor rule set. Since only one address is loaded, you will never be able to capture alternate IP addresses that DNS could serve when it resolves a domain name.

PF's efficient tables cannot be used, only lists (which resolve to separate rules), because tables contain only IP addresses, they do not contain domain names.

You could write a blocking ruleset (or anchor set for ease of reloading) with something like
Code:
block out to {
   www.facebook.com
   facebook.com
   login.facebook.com
   .
   .
   .
}
but a list like this resolves to separate rules for each single resolved IP, and only the first resolved IPv4 and IPv6 addresses
Code:
$ pfctl -sr
.
.
.
block drop out inet6 from any to 2a03:2880:f127:83:face:b00c:0:25de
block drop out inet6 from any to 2a03:2880:f127:283:face:b00c:0:25de
block drop out inet6 from any to 2a03:2880:f027:20e:face:b00c:0:2
block drop out inet from any to 157.240.2.35
block drop out inet from any to 157.240.2.20
.
.
.
For a "block all of Facebook" solution, you are far better off either use your hosts file to block all of their domains at the time of domain resolution, or you can deploy a proxy server that does the same thing.


---

Edited to add: I'm wrong. If DNS responds with multiple IP addresses, pfctl() will deploy a table, such as like this for yahoo.com:
Code:
block drop out inet from any to <__automatic_13b2d5ed_0>
block drop out inet6 from any to <__automatic_13b2d5ed_1>

Last edited by jggimi; 16th June 2020 at 04:39 PM. Reason: correct my misstatement
Reply With Quote
  #3   (View Single Post)  
Old 16th June 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,106
Default

And, if you decide to use PF for this, you may want to use block return or an overall set block-policy return rule to avoid having your applications experience TCP timeout delays.
Reply With Quote
Reply

Tags
block facebook pf

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
facebook network issue damageG OpenBSD Security 18 13th May 2020 09:53 PM
What Facebook Knows About You e1-531g News 6 3rd January 2017 12:10 AM
NSA Joke: US Military Intervene over Facebook Event J65nko News 0 17th July 2013 08:45 PM
Facebook, the new phishing target J65nko News 3 16th May 2010 04:14 PM
Facebook's PHP compiler J65nko News 9 5th February 2010 02:09 PM


All times are GMT. The time now is 04:09 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick