# How to block a website?



## Deleted member 2077 (Jul 19, 2011)

I have FreeBSD as a router with natd/ipfw.  That works wonderfully, but would like to block some websites on the network layer.  

What is the easiest way to block a website?

I tried this, but didn't work:

```
ipfw add deny tcp from any to badwebsite.com
```


Some sites have multiply ips, so add them manually for each one.


----------



## graudeejs (Jul 19, 2011)

You need proxy


----------



## wblock@ (Jul 19, 2011)

Advertising domains can be blocked in DNS, either in /etc/hosts or with BIND.

That can also be somewhat effective if you're trying to prevent use of certain domains, but can be bypassed by using IP addresses.


----------



## _martin (Jul 19, 2011)

Well, generally speaking that's tough to do. Because even if you block it, user can use outside proxy to bypass it. Putting effort to detect if user is using proxy is kind of wasting of resources too. That can be, for example, bypassed by using tunnel somewhere out. 

Proxy (at your site) is a good start, but don't rely on it too much.


----------



## Deleted member 2077 (Jul 19, 2011)

I guess I should of said 'block all traffic to outside ip' since I got answer on everything but what I was asking. 

Transparent proxy isn't allowed.  Manual proxy is disabled (and they won't use it any way).  
They can easily get to other ports (which is our concern), not just 80.
host/dns is easy to get around.  In fact, it has ip hardcoded if dns fails.

If they tunnel/vpn, it's no longer our problem.


Anyway, here is the answer:
ipfw add 350 deny ip from any to 1.2.3.4

The reason it wasn't working is because it was higher than our keep state and pass all rules.
Putting it lower in the rules fixed it.


----------



## fonz (Jul 19, 2011)

feralape said:
			
		

> The reason it wasn't working is because it was higher than our keep state and pass all rules.


I assume you've done the smacking your forehead thing 

Fonz


----------



## SirDice (Jul 20, 2011)

matoatlantis said:
			
		

> Well, generally speaking that's tough to do. Because even if you block it, user can use outside proxy to bypass it.


Which is why you should block _all_ outside access for clients. The only way they can browse the internet is via the corporate proxy.



> Putting effort to detect if user is using proxy is kind of wasting of resources too. That can be, for example, bypassed by using tunnel somewhere out.


Windows clients can easily be prevented from changing their proxy settings by applying proper group policies (and removing the local administrator privileges for all users).


----------



## _martin (Jul 21, 2011)

SirDice said:
			
		

> The only way they can browse the internet is via the corporate proxy.



Ok, but usually you need other ports to be opened too (due to business needs). Like port 22. Hard (too strong to use word impossible) to track all locations where this has to be opened. And even tracking the location doesn't necessary mean you are safe. 

As I said, trying to block some web is next to impossible to do. You can try, you may partially succeed, but there is always somebody who finds the way out.


----------

