02-07-2012 05:36 PM
I have looked around the forums (and google) and can't seem to find a good solution to a filter I would like (well, okay, management is demanding one get put on there) that will allow me to block any traffic headed to facebook.com and then allow everything else. Now, typically this would be easy...if facebook.com only had one IP address. Unfortunately, they have at least 3 of them I can find (and I am sure more) so I am hoping for some guidance on how best to achieve this type of filter. We have a very simple setup: 3 EX4200s in a virtual chassis and any/all traffic must go out the ge-0/0/0 interface to get anywhere off the LAN (very convenient choke point).
So, what I am thinking of is a simple Layer 2 egress filter on ge-0/0/0 that basically drops/logs all traffic from anything on the 192.168.61.0/24 subnet (the only subnet at this office where there is facebook mania) to facebook.com. My question is can I use the domain name or am I going to have to simply add in something to the filter like the /16s for the address...so block 220.127.116.11 and 18.104.22.168? Okay, any help would be greatly appreciated and thanks for the support!
Solved! Go to Solution.
02-08-2012 06:16 AM
This will actually be quite hard using the EX4200s - the SRX is more suited to this sort of thing.
What you could do though (assuming you have internal DNS servers):
Write a firewall-filter on your EXs to block outbound DNS requests from everyone EXCEPT your DNS server(s). This will force everyone to use your internal server to get to the internet.
Create a new zone on your DNS server for facebook.com - don't bother putting any records into it.
Now when your users look up *.facebook.com, your server will attempt to find any address in the local zone (and fail).
Just be aware there are a few proxy sites out there that allow access to facebook via alternate domains. You'll have to create zone files for any of these that your users come across. But like I said - the SRX is much better suited for this type of thing and can block sites by domain quite easily.
Hope this helps.