# Locking down unauthorized exit packets



## Beeblebrox (Jan 7, 2014)

I have a PC which is being used by several people for Internet browsing. It also has its own pf running, but has 
	
	



```
pass out on re0
```
I recently used `tcpdump -nettt -i re0 port 80` to get a list of traffic on the external-facing NIC. The results were a bit horrifying, even though the browser has the script/flash blocking addons.


 When I had firefox open, I saw traffic to both akamaihd.net and facebook.com, even though I was not logged in to facebook. I saw a good number of other unauthorized packets as well, even though I ran tcpdump for just around 60 seconds. How can one get this problem under control? I don't see how privoxy for example could deal with this, as there does not seem to be a way to tell the difference between legitimate use and "data mining". Is cookie-bashing the solution?
 For other "strange traffic", what options other than IP blacklisting in pf.conf? privoxy could help and treat the blacklist like advertising sites (redirect to lo0), but that requires manual editing as well. Maybe a list of phishing, malware and other crap sites that is periodically refreshed to the DNS resolver (similar to http://pgl.yoyo.org/adservers/)?
 For the future, I'd like to place the results of tcpdump IP's in a list, then have the second column display the whois information for rapid analysis. I have looked at ntop and darkstat but I don't feel either is what I'm looking for (It's possible I don't fully understand them yet). How can I get a real-time or at least a delayed-refresh readout for traffic source/destination by domain name?


----------



## worldi (Jan 7, 2014)

That's just how the WWW works. Every website that has a "Like" button makes the browser connect to facebook.com. Connects to content delivery networks (like Akamai, Level3, etc.) aren't unusual either.
 Blacklists are the wrong approach when you're that paranoid concerned. Use whitelists instead.


----------



## Beeblebrox (Jan 9, 2014)

It turns out privoxy does have code geared to handle this issue. A search using the terms "privoxy block tracking facebook" (or any other keyword you prefer) brings up a good level of information on how to do it. I have not yet tried the solution posted below, so I cannot confirm the code (it may need some adjustments):


```
## To block tracking via embedded Facebook "Like" button, Twitter "follow", and Google Plus "+1", edit /etc/privoxy/user.action and add these lines to the end:

{+block-as-image{Facebook "like" and similar tracking URLs.}}
www.facebook.com/(extern|plugins)/(login_status|like(box)?|activity|fan)\.php
platform.twitter.com/widgets/follow_button?
plusone.google.com
```

I also found a Mozilla add-on named ghostery which seems to be designed for the same task. However, I would prefer to go with privoxy since it keeps surprising me with its capabilities again and again.

Now then, anyone want to pitch in on the tcpdump/whois table question?


----------

