DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th June 2020
sabrina sabrina is offline
Port Guard
 
Join Date: Jun 2020
Posts: 15
Question To block Facebook with PF

Hello, daemonforums!
I am using OpenBSD 6.7 on my desktop computer. I would like to block all facebook and it's button on other websites. I have been recommended to add these lines in my hosts file.
Code:
#Facebook Block
127.0.0.1 www.facebook.com
127.0.0.1 facebook.com
127.0.0.1 login.facebook.com
127.0.0.1 www.login.facebook.com
127.0.0.1 fbcdn.net
127.0.0.1 www.fbcdn.net
127.0.0.1 fbcdn.com
127.0.0.1 www.fbcdn.com
127.0.0.1 static.ak.fbcdn.net
127.0.0.1 static.ak.connect.facebook.com
127.0.0.1 connect.facebook.net
127.0.0.1 www.connect.facebook.net
127.0.0.1 apps.facebook.com
127.0.0.1 api.ak.facebook.com
127.0.0.1 api.connect.facebook.com
127.0.0.1 api.facebook.com
127.0.0.1 apps.facebook.com
127.0.0.1 ar-ar.facebook.com
127.0.0.1 badge.facebook.com
127.0.0.1 blog.facebook.com
127.0.0.1 connect.facebook.net
127.0.0.1 de-de.facebook.com
127.0.0.1 developers.facebook.com
127.0.0.1 es-la.facebook.com
127.0.0.1 external.ak.fbcdn.net
127.0.0.1 facebook.de
127.0.0.1 facebook.fr
127.0.0.1 fb.me
127.0.0.1 fbcdn.net
127.0.0.1 fr-fr.facebook.com
127.0.0.1 hi-in.facebook.com
127.0.0.1 it-it.facebook.com
127.0.0.1 ja-jp.facebook.com
127.0.0.1 login.facebook.com
127.0.0.1 profile.ak.fbcdn.net
127.0.0.1 pt-br.facebook.com
127.0.0.1 ssl.connect.facebook.com
127.0.0.1 www.facebook.de
127.0.0.1 www.facebook.fr
127.0.0.1 zh-cn.facebook.com
I do not like the idea of messing with my hosts file, I want to block those addresses in PF.
Can you help me with which PF rules I should use?
Thank you!
Reply With Quote
  #2   (View Single Post)  
Old 16th June 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Hello, and welcome!

Facebook's domains resolve to countless IP addresses. Unfortunately, PF only resolves domain names to one IPv4 and one IPv6 address, and only at the moment when rules that include them are loaded by pfctl(8), such as by rc(8) during boot, or when loading an anchor rule set. Since only one address is loaded, you will never be able to capture alternate IP addresses that DNS could serve when it resolves a domain name.

PF's efficient tables cannot be used, only lists (which resolve to separate rules), because tables contain only IP addresses, they do not contain domain names.

You could write a blocking ruleset (or anchor set for ease of reloading) with something like
Code:
block out to {
   www.facebook.com
   facebook.com
   login.facebook.com
   .
   .
   .
}
but a list like this resolves to separate rules for each single resolved IP, and only the first resolved IPv4 and IPv6 addresses
Code:
$ pfctl -sr
.
.
.
block drop out inet6 from any to 2a03:2880:f127:83:face:b00c:0:25de
block drop out inet6 from any to 2a03:2880:f127:283:face:b00c:0:25de
block drop out inet6 from any to 2a03:2880:f027:20e:face:b00c:0:2
block drop out inet from any to 157.240.2.35
block drop out inet from any to 157.240.2.20
.
.
.
For a "block all of Facebook" solution, you are far better off either use your hosts file to block all of their domains at the time of domain resolution, or you can deploy a proxy server that does the same thing.


---

Edited to add: I'm wrong. If DNS responds with multiple IP addresses, pfctl() will deploy a table, such as like this for yahoo.com:
Code:
block drop out inet from any to <__automatic_13b2d5ed_0>
block drop out inet6 from any to <__automatic_13b2d5ed_1>

Last edited by jggimi; 16th June 2020 at 04:39 PM. Reason: correct my misstatement
Reply With Quote
  #3   (View Single Post)  
Old 16th June 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

And, if you decide to use PF for this, you may want to use block return or an overall set block-policy return rule to avoid having your applications experience TCP timeout delays.
Reply With Quote
  #4   (View Single Post)  
Old 9th November 2020
SimpL SimpL is offline
Port Guard
 
Join Date: Nov 2020
Location: On a cloud;)
Posts: 31
Default

@sabrina: If you want to block it in web browser then ublock is the addon for your browser who has this feature. And it has a social media blocking list. You could use that.
Reply With Quote
  #5   (View Single Post)  
Old 9th November 2020
CiotBSD CiotBSD is offline
c107:b5d::
 
Join Date: Jun 2019
Location: Under /
Posts: 175
Default

Another solution on OpenBSD is using Unbind and few lists to block "bad" trafic.

as Geoghegan's project pf-badhost and unbind-adblock.
See:
- https://www.geoghegan.ca/pfbadhost.html
- https://www.geoghegan.ca/unbound-adblock.html

With unbound, it's easy to add blocklist, yours or others recognized!
__________________
GPG:Fingerprint ed25519 : 072A 4DA2 8AFD 868D 74CF 9EA2 B85E 9ADA C377 5E8E
GPG:Fingerprint rsa4096 : 4E0D 4AF7 77F5 0FAE A35D 5B62 D0FF 7361 59BF 1733
Reply With Quote
  #6   (View Single Post)  
Old 9th November 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

If using a DNS-based blocklist, then DNS queries should be redirected to the local nameserver, preventing the workstations from circumventing policy through a public nameserver (Google, OpenDNS, others).
Reply With Quote
  #7   (View Single Post)  
Old 18th November 2020
zippy99 zippy99 is offline
New User
 
Join Date: Nov 2020
Posts: 3
Default

There is GoodbyeBigFive script for PF MacOS which must be ok for OpenBSD too.

Maybe this too is useful:
https://vermaden.wordpress.com/2020/...dns-blacklist/

Last edited by zippy99; 18th November 2020 at 05:35 PM.
Reply With Quote
  #8   (View Single Post)  
Old 18th November 2020
fvgit's Avatar
fvgit fvgit is offline
Spikes in tights
 
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("U2hlcndvb2QgRm9yZXN0")'
Posts: 314
Default

Quote:
Originally Posted by zippy99 View Post
There is GoodbyeBigFive script for PF MacOS which must be ok for OpenBSD too.
Not too shabby. While it requires the Bash shell it shouldn't be too hard to rewrite it for OpenBSD's pdksh.

The technique this uses is to query Merit's routing registry database (RADb) by the ASN (Autonomous System Number) and populate the blocklists accordingly with the returned CIDR groups. An example using this approach was posted to misc@ back in 2013. I'm surprised this isn't more popular nowadays.

Here are two query strings for Facebook that show how it works, AS33934 is Facebook's ASN:

output all CIDR groups on one line:
Code:
whois -h whois.radb.net '!gas32934' | grep '/'
or alternatively, output every CIDR on a separate line:
Code:
whois -h whois.radb.net -- '-i origin AS32934' | awk '/route:/ {print $2}'
The possible query flags like !g or -i origin for whois are explained here:
https://www.radb.net/support/tutoria...ons-flags.html

And here are two pairs of quick'n'dirty two-liners, based on the query string examples above, that generate <tables> which can be used directly with pf:

Facebook's IPv4 CIDRs:
Code:
print -n "table <facebook> { " > table.facebook.com
whois -h whois.radb.net '!gAS32934' | grep '/' | sed -e s/" "/", "/g | awk 1 ORS=' }'  >> table.facebook.com
and the IPv6 ones (note the 6 instead of g in the query option):
Code:
print -n "table <facebook> { " > table.v6.facebook.com
whois -h whois.radb.net '!6as32934' | grep '/' | sed -e s/" "/", "/g | awk 1 ORS=' }'  >> table.v6.facebook.com
These two accomplish the same goal but have a slightly better formatted output:
Code:
print -n "table <facebook> { " > table.facebook.com
print -n $(whois -h whois.radb.net -- '-i origin AS32934' | awk '/route:/ {print $2}') | sed -e s/" "/", "/g | awk 1 ORS=' }' >> table.facebook.com
Code:
print -n "table <facebook> { " > table.v6.facebook.com
print -n $(whois -h whois.radb.net -- '-i origin AS32934' | awk '/route6:/ {print $2}') | sed -e s/" "/", "/g | awk 1 ORS=' }' >> table.v6.facebook.com
The advantage of these tables is that you can also use them to block incoming requests from Facebook's webcrawlers for instance if you have a host on the internet.

You should probably rerun the queries from time to time as the output can obviously change.

While not a silver bullet this technique is pretty neat. It can and should be combined, though, with the DNS-based blocking approach as well as the adblocker lists in the browser. To some this may seem over the top, but if you'd really like to practise social distancing from Facebook this is but a tiny start.

Most people are completely unaware how deep Facebook's reach goes nowadays. The following info is from a piece by Wolfie Christl originally published in 2015 in the German FAZ newspaper.

(Sidenote about the url in the previous paragraph: it is not without irony that a website about privacy and with the domain name donottrack-doc.com employs the services of google analytics. This truly warrants a tactical facepalm, courtesy of theregister.co.uk: )


That Facebook keeps so-called 'shadow profiles' of people that don't have a Facebook account is probably known by now. There's not much you can do about it other than ask, beg, threaten or blackmail your friends and relations not to include your contact data when uploading their address books to Facebook.

Facebook also cooperates with companies like Acxiom, Epsilon, Datalogix or Bluekai. Most people will have never heard of these companies, yet they may probably already know something about you. They are so-called data brokers. For example, Axciom woks with consumer data looking after customer databases of about 15.000 companies with dossiers on individual consumers of up to 3000 individual data points of about 700 million people. This includes things like income, health-related interests or voting behaviour. While Datalogix has access to shopping data with a total volume of two trillion dollars. (Note: the German text says Billion which in American English equals trillion. Unless the original data was wrongly translated into German then this indeed refers to trillion and not billion)

This is where it gets interesting. According to the linked article officially the datasets these companies exchange with Facebook and vice versa are anonymized. E-mail addresses, phone numbers and names are represented by a hash, but allegedly the hash is created on all sides by the same algorithm so that the hash data can be matched combining profile data between Facebook and the other companies and effectively circumventing the anonymization.

Then there's Atlas a company Facebook bought two years earlier in 2013 from Microsoft. According to the article somewhere in Facebook's TOS it is stated that Atlas has full access to all data of it's 1.4 billion user base (plus all the shadow profiles Facebook maintains, obviously.) The point of Atlas is to reportedly enable user tracking when people are not logged in to Facebook, be it through the traditional cookie, or machine ids from smartphones, smart tvs, automobile satnavs or fitness bracelets.


That was in 2015. Fast forward to 2020. On September 18th a blogpost appeared focussing on Facebook's newly announced Project Aria dubbed 'Google maps for your entire life'. I'll leave you with two money quotes:
Quote:
On Wednesday, the company announced a plan to map the entire world, beyond street view. The company is launching a set of glasses that contains cameras, microphones, and other sensors to build a constantly updating map of the world in an effort called Project Aria. That map will include the inside of buildings and homes and all the objects inside of them. It’s Google Street View, but for your entire life.
Quote:
The company insists any faces and license plates captured by Aria glasses wearers will be anonymized. But that won’t protect the data from Facebook itself. Ostensibly, Facebook will possess a live map of your home, pictures of your loved ones, pictures of any sensitive documents or communications you might be looking at with the glasses on, passwords — literally your entire life.
Reply With Quote
Reply

Tags
block facebook pf

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
facebook network issue damageG OpenBSD Security 18 13th May 2020 09:53 PM
What Facebook Knows About You e1-531g News 6 3rd January 2017 12:10 AM
NSA Joke: US Military Intervene over Facebook Event J65nko News 0 17th July 2013 08:45 PM
Facebook, the new phishing target J65nko News 3 16th May 2010 04:14 PM
Facebook's PHP compiler J65nko News 9 5th February 2010 02:09 PM


All times are GMT. The time now is 02:31 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick