web filtering using Host file
-
Anything involving hostname lookups (DNS, hosts files, etc.) can be bypassed simply by using IP addresses and/or proxies. It makes it inconvenient but blocks nothing.
-
me also, i use pfSense as proxy server, the problem is : recently i discover that on of the users access Facebook by using Firefox Portable Application, because firefox don't use proxy setting of the system, so i'm looking of some way to block those websites in the system level,
-
if i block those website by using IP subnet, this may not be efficient because IP subnets used by those website are changing and big in number
-
@scottalanmiller sorry Sir, what do you mean by : it can be bypassed simply by using IP addresses ????
-
@IT-ADMIN said:
me also, i use pfSense as proxy server, the problem is : recently i discover that on of the users access Facebook by using Firefox Portable Application, because firefox don't use proxy setting of the system, so i'm looking of some way to block those websites in the system level,
Proxies need to be inline. There should be no way to the web except via the proxy. It takes the proxy and the firewall working together but a properly implemented proxy cannot be byapssed.
-
@IT-ADMIN said:
@scottalanmiller sorry Sir, what do you mean by : it can be bypassed simply by using IP addresses ????
Try MangoLassi as an example. Block it in your DNS or hosts file then go to http://162.242.243.171/
Nothing was blocked at all, it turns out.
-
@IT-ADMIN said:
if i block those website by using IP subnet, this may not be efficient because IP subnets used by those website are changing and big in number
Correct, that does not work either. Proxies are, quite honestly, the only reliable method of web filtering.
-
the problem is proxy server can easily bypassed by portable application like firefox, this is the problem
-
@IT-ADMIN said:
the problem is proxy server can easily bypassed by portable application like firefox, this is the problem
That's because it isn't completely set up. It is just an optional proxy. That's why the proxy plus firewall is the complete setup, a proxy is useless all by itself. The firewall ensures that you cannot bypass the proxy by blocking all web traffic that doesn't originate from the proxy. A correctly setup proxy cannot be bypassed. Every Fortune 1000 uses proxy servers and keeps them from being bypassed.
-
pfSense is firewall and proxy,
so what will be the role of the firewall in this scenario, he will block what exactly ??? -
@IT-ADMIN said:
pfSense is firewall and proxy,
so what will be the role of the firewall in this scenario, he will block what exactly ???It blocks all outbound Port 80 and Port 443 except for for the proxy server. That way ALL web traffic has to go through the proxy, no matter what. You can bypass the proxy still, but there is nowhere to go because the web only exists through the proxy server.
-
firewall rules can block traffic based on IPs, not URLs
-
aahh i see what you mean Mr Scott, i should block all traffic except for outbound traffic going to my proxy server
-
@IT-ADMIN said:
firewall rules can block traffic based on IPs, not URLs
And by ports, most importantly.
-
@IT-ADMIN said:
aahh i see what you mean Mr Scott, i should block all traffic except for outbound traffic going to my proxy server
Exactly. That takes care of the general networking workaround. Now the proxy is in control of traffic and can determine where people can go.
-
i just test it right now, but it has affected other ports like outlook, now i cannot sent and receive mails,
-
@IT-ADMIN said:
i just test it right now, but it has affected other ports like outlook, now i cannot sent and receive mails,
Only block 80/443 for now. The proxy doesn't handle other protocols.
-
yes, i will open all ports except 80 and 443 for all destination, and for those 2 ports i should forward them only to the proxy IP
-
yes, now i understand your wise sentence, proxy by itself cannot do the job except with the collaboration of the firewall rules
-
@IT-ADMIN said:
yes, i will open all ports except 80 and 443 for all destination, and for those 2 ports i should forward them only to the proxy IP
Exactly.