Howto lock a certain website for internal users?

I have a firewall/router box running openSUSE 11.2 between the outside world and the LAN. This router also provides DNS for the LAN and has SuSEfirewall enabled.

LAN users need (almost) full access to the internet. However, I want to block certain sites which are not required for work (you name it: facebook is my candidate). What is the most elegant way to block certain sites (which have quite a lot of different IP numbers) ?

Standard way is to set up a web proxy and use firewall rules to ensure the proxy has to be used.

Another way might be to set up your DNS resolver to resolve all names of the form facebook.com to 127.0.0.1 or something like that by setting up a local facebook.com zone. But a smart person could substitute IP addresses so it might not be as effective.

@ken_yap

Your 2nd suggestion works, let’s wait and see how smart my users are …

I know this revives a rather old thread, but I’m in somewhat the same situation although I need only block one machine. I’m running 12.1 if that makes a difference. I would like to block facebook, both from being accessed and from accessing this computer. Is there a simple way? Vodoo, did your system work? Ken_yap, can you elaborate your suggestion?

You could edit /etc/hosts so that a particular IP address or domain name is redirected to the local host. Firefox will report

Unable to connect
      
Firefox can't establish a connection to the server at localhost.

(If you have a web server running, then your local webpage will display instead).

127.0.0.1 localhost  facebook.com

Note: This may not work for Google Chrome.

On 2012-05-13 08:26, deano ferrari wrote:
> Note: This may not work for Google Chrome.

You can keep your own DNS server, and put false entries on it. This would
work for other machines, too - till they discover the trick.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

:wink:
Intentionally “poisoning” your DNS…

The OP said he was using openSUSE as his FW/Router, in that case this is easy to implement.
You simply setup DNS services on your FW/router, configure it as as a “Forwarding DNS Server” but also create Domain records with your own entries for the Domains you want to re-direct. All unconfigured Domain records would be retrieved from upstream DNS while your custom records would be served without upstream queries.

For the poster that wondered how to redirect only one (or a few) users and not all Users in the LAN, I would recommend pushing a custom Hosts file to the client, it’s a standard option for most “better” DHCP Servers.

HTH,
TS

Sorry for the delay in replying. Thanks for the suggestions. I did add facebook.com to my /etc/hosts file, and indeed it does prevent me from accessing facebook using my browser. However, it does not stop Evolution from going to facebook to get an image in an email message IF, I forward or reply to the message. Problem is, I don’t know the image is from facebook unless or until I reply. Not a good situation in my mind.

As an aside and the reason I took so long to reply, I just now found out the this forum will not work properly if Google Analytics is blocked. I just stopped Ghostry and the forum is now working. With it turned on, my log in is not recognized! Not a good idea!

However, it does not stop Evolution from going to facebook to get an image in an email message IF, I forward or reply to the message. Problem is, I don’t know the image is from facebook unless or until I reply. Not a good situation in my mind.

That is dependant on the facebook users notification settings in their account. It is possible to block these, if they’re always from the same ‘facebook’ domain. (I’m not a facebook user, so I’m not familiar with the email notifications you receive).

Nor am I. I really object to their intrusion / tracking. The example I use is: someone sends me a message containing an image. The image resides on a facebook server somewhere. I look at the message, in the preview pane of Evolution and I see only an empty block where the image should be. This is good. There is no way that I know of to see any information about the image, perhaps I should be able, but then facebook would know I went there to get that information. That would be bad. If I reply to, or forward that message, the image is included, or more correctly, a link to the message is included. This means I can see the image in the reply or forward and also means I “have been” to facebook. Which means my info is tracked for 6 months or so.

I really want to avoid that. Which means I want to avoid facebook. Any facebook server at all.

The changes I made to my /etc/hosts file do prevent me from going to facebook by accident using my browser, but I want more.

I’m wondering if I should start a new thread. I hijacked this one. Or, perhaps it’s old enough to use, this time.

The changes I made to my /etc/hosts file do prevent me from going to facebook by accident using my browser, but I want more.

That was a simple method for dealing with website blocking (and not foolproof, just a means to an end). Now, you’re asking about filtering unsolicited email. Unwanted email is spam, so you could consider using a spam fiilter such as SpamAssassin to block these. Most email clients have the ability to filter the email as well. For example

How to Block Emails in Mozilla Thunderbird | eHow.com

I’m wondering if I should start a new thread.

Probably a good idea, if you want to maximise the chances of getting the attention of others for your specific email filtering query.

On 2012-05-19 01:06, montana suse user wrote:

> Nor am I. I really object to their intrusion / tracking. The example
> I use is: someone sends me a message containing an image.

Try thunderbird. It does not load remote images unless you tell it to. It
also can block cookies on html posts. And if you post your reply in html
mode you can delete the images from the reply - which shows as empty boxes,
they are not loaded. If the receiver opens that email and opens the images
you did not delete, they will not track you but him. Or you can reply in
plain text mode.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)