LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   IPTables or IPCop block Facebook Chat (https://www.linuxquestions.org/questions/linux-security-4/iptables-or-ipcop-block-facebook-chat-4175438594/)

jmoschetti45 11-24-2012 11:22 PM

IPTables or IPCop block Facebook Chat
 
I'm determined to block facebook chat on my network.

I have IPCop 2x running as the main firewall, and in front of that another plain linux box that's hooked to the modem.

I can't seem to find a way to do this.

I've blocked

Code:

acl bofh dstdomain *facebook.com/ajax/chat*
acl bofh dstdomain *facebook.com/images/chat*
acl bofh dstdomain *facebook.com/ajax/presence*
acl bofh dstdomain *.channel*.facebook.com/x/*/false/p_*
acl bofh dstdomain facebook.com/ajax/presence
acl bofh dstdomain chat.facebook.com
acl bofh dstdomain /ajax/chat/
acl bofh dstdomain /ajax/chat/buddy_list.php
acl bofh dstdomain buddy_list.php
acl bofh dstdomain /presence/popout.php
acl bofh dstdomain /friends/ajax/edit_list.php
acl bofh dstdomain edit_list.php
acl bofh dstdomain chat.php

in squid on the IPCop box, and even killed https to facebook. I've also put all those urls in privoxy too. I've even blocked the *channel*.facebook ip address on the firewall attached to the modem.

Where am I going wrong? I don't want to completely kill facebook, just the chat portion. I have no control over the machines themselves on the network.

NyteOwl 11-25-2012 12:20 PM

Facebook chat is ajax/flash based and so runs within the browser making it a it tricky to block if you don't want to kill Facebook altogether (the better idea).

Might get you headed in the right direction, this is the signature for Facebook chat from a Juniper application firewall. Note the multiple domains/paths/options/files referenced):

Code:

Signature NestedApplication:FACEBOOK-CHAT                               
    Layer-7 Protocol: HTTP                                               
    Chain Order: Yes       
    Maximum Transactions: 1                 
    Order: 33313           
    Member(s): 2           
        Member 0                       
            Context: http-url-parsed     
            Pattern: /ajax/(chat/(typ|settings|buddy_list|send\d?|history)|presence/reconnect)\.php.*
                   
            Direction: CTS                                 
        Member 1       
            Context: http-header-host     
            Pattern: (.*\.)?(facebook\.com|fbcdn\.net)                   
            Direction: CT


Turbocapitalist 11-26-2012 09:40 AM

The better way, if you can do it, is to block all of Facebook. The easiest way to do that is to block it using iptables.

http://www.howtoforge.com/blocking-f...-extra-privacy

You can get the full list of Facebook networks with "/usr/bin/whois -h whois.radb.net '!gAS32934'"


All times are GMT -5. The time now is 11:53 AM.