Blocking Facebook for an IP Pool

gjacob3412 · 12-14-2011, 07:49 AM

I have performed more then one search, via the UT search and Google.

I have already put in three different rules to block FB on a set of IPs in my domain. I have a Computer Lab of 14 computers x.x.x.85 - x.x.x.100 which I need to block certain sites on. It's basically a school lab.

I've gone the route of pinging www.facebook.com which gives me a IP scope of: 66.220.144.0 - 66.220.159.255

Block; Source Address: x.x.x.85-100; Destination address: 66.220.144.0 - 66.220.159.255; Port All

Block; Source address: x.x.x.85-100; Destination address: 66.220.144.0 – 66.220.159.255; Protocol all

Block; Source Address: x.x.x.85-100; Destination address: 69.63.176.0 – 69.63.191.255; Port all; Protocol all

They are still able to get through to FB, which isn't acceptable..

Any thoughts / pointers?

WebFooL · 12-14-2011, 08:50 AM

Can you see what rule that they hit when they go to the site?

Traffic tries to match from the top and down.
So if rule 1 say allow port 80/443 from any to Internet it will match and go out.

hlarsen · 12-14-2011, 09:08 AM

1) create a new rack for those users with Policy Manager
2) block the Social Networking category in Web Filter in that rack
3) make sure 'Categorize HTTPS traffic by IP address if domain-based lookup fails' is checked

that's it, no need to look up IPs.

gjacob3412 · 12-14-2011, 09:37 AM

Quote:

Originally Posted by WebFooL

Can you see what rule that they hit when they go to the site?

Traffic tries to match from the top and down.
So if rule 1 say allow port 80/443 from any to Internet it will match and go out.

I will see how they are listed. I know the last rule I made to block FB is rule 1,.. but then the other 2 are farther down.

Quote:

Originally Posted by hlarsen

1) create a new rack for those users with Policy Manager
2) block the Social Networking category in Web Filter in that rack
3) make sure 'Categorize HTTPS traffic by IP address if domain-based lookup fails' is checked

that's it, no need to look up IPs.

Regrettably - we are a Non Profit, so we do not have the Policy Manager.

proactivens · 12-14-2011, 09:46 AM

There's your answer then.

gjacob3412 · 12-14-2011, 12:55 PM

Quote:

Originally Posted by WebFooL

Can you see what rule that they hit when they go to the site?

Traffic tries to match from the top and down.
So if rule 1 say allow port 80/443 from any to Internet it will match and go out.

WebFooL -

That would seem to have been the issue - the rule was to far down the list. I'm grouped them as 1-3 and now seems to work. I believe though a single rule will be sufficient, so I'll look at that as well.

I'm just happy that it works. I've been really happy with my UT installs, and suggest it where I can.

gjacob3412 · 12-15-2011, 12:59 PM

Quote:

Originally Posted by gjacob3412

WebFooL -

That would seem to have been the issue - the rule was to far down the list. I'm grouped them as 1-3 and now seems to work. I believe though a single rule will be sufficient, so I'll look at that as well.

I'm just happy that it works. I've been really happy with my UT installs, and suggest it where I can.

I stand corrected, it would seem that they computers are still able to access FB. Need to continue to investigate a solution.

gjacob3412 · 12-22-2011, 01:01 PM

Discussing the issue with another, it was suggested to use the Window's hosts file.

If created a host file that I will push out with GPO and handle it it this way - pushing any attempt to Facebook (and other sites) to the loopback.

pazza3564 · 12-22-2011, 05:45 PM

Quote:

Originally Posted by gjacob3412

Discussing the issue with another, it was suggested to use the Window's hosts file.

If created a host file that I will push out with GPO and handle it it this way - pushing any attempt to Facebook (and other sites) to the loopback.

If you are going to play with dns, what server are you using for dns?

If a windows server, just add the namespace for facebook to it (so it has a second namespace) and add the subdomain www, and point it to what ever you like. That way if you need to change it, or if a non domain machine comes in, it will still work.

wharfratjoe · 12-22-2011, 06:19 PM

Quote:

Originally Posted by pazza3564

If you are going to play with dns, what server are you using for dns?

If a windows server, just add the namespace for facebook to it (so it has a second namespace) and add the subdomain www, and point it to what ever you like. That way if you need to change it, or if a non domain machine comes in, it will still work.

And if you want to be creative and some fun with your users, point the internal dns entry for facebook.com back to a internal web server (say IIS) and create a page that says "We are watching you...HAPPY HOLIDAYS!" - Management

12-14-2011, 07:49 AM	#1 (permalink)
gjacob3412 Untangler Join Date: Mar 2011 Location: C-KY/USA Posts: 38	Blocking Facebook for an IP Pool I have performed more then one search, via the UT search and Google. I have already put in three different rules to block FB on a set of IPs in my domain. I have a Computer Lab of 14 computers x.x.x.85 - x.x.x.100 which I need to block certain sites on. It's basically a school lab. I've gone the route of pinging www.facebook.com which gives me a IP scope of: 66.220.144.0 - 66.220.159.255 Block; Source Address: x.x.x.85-100; Destination address: 66.220.144.0 - 66.220.159.255; Port All Block; Source address: x.x.x.85-100; Destination address: 66.220.144.0 – 66.220.159.255; Protocol all Block; Source Address: x.x.x.85-100; Destination address: 69.63.176.0 – 69.63.191.255; Port all; Protocol all They are still able to get through to FB, which isn't acceptable.. Any thoughts / pointers?

12-14-2011, 08:50 AM	#2 (permalink)
WebFooL Join Date: Jan 2009 Location: Sweden (Eskilstuna) URLs submitted: 57 Posts: 3,883	Can you see what rule that they hit when they go to the site? Traffic tries to match from the top and down. So if rule 1 say allow port 80/443 from any to Internet it will match and go out. __________________ "Of all the things I've lost, I miss my mind the most" Untangle Reseller (Sweden) WebFooL@fakenews.se http://fakenews.se/ Need space to Upload content for you forum post? http://about.me/webfool

12-14-2011, 09:08 AM	#3 (permalink)
hlarsen Join Date: Jul 2010 Location: sfba URLs submitted: 1 Posts: 1,139	1) create a new rack for those users with Policy Manager 2) block the Social Networking category in Web Filter in that rack 3) make sure 'Categorize HTTPS traffic by IP address if domain-based lookup fails' is checked that's it, no need to look up IPs. __________________ Attention: Support on the Untangle Forums is provided by volunteers and community members. If you need official Untangle support please call or email support@untangle.com.

12-14-2011, 09:46 AM	#5 (permalink)
proactivens Join Date: Sep 2008 Location: Greensburg, Pa Posts: 2,307	There's your answer then. __________________ www.untangleappliances.com Toll Free: 866-794-8879 UNTANGLE PLATINUM PARTNER Follow us at spiceworks!

Protect

Filter

Perform

Connect

Manage

Add-Ons

12-22-2011, 01:01 PM	#8 (permalink)
gjacob3412 Untangler Join Date: Mar 2011 Location: C-KY/USA Posts: 38	Discussing the issue with another, it was suggested to use the Window's hosts file. If created a host file that I will push out with GPO and handle it it this way - pushing any attempt to Facebook (and other sites) to the loopback.