Best way to block web sites?

Discussion in 'privacy problems' started by avboy, Feb 25, 2012.

Thread Status:
Not open for further replies.
  1. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    165
    What is the best way to block web sites?

    1. Firewall: In OA premium it just doesn't work! At least not outside banking mode. And even in banking mode microsoft & emsisoft CANNOT be blocked as they are hard coded! I am not willing to change OA as firewall, so what really are my other options?

    2. Extensions: Leech block, silent block etc.

    3. Host file: but I am not a technical guy, so may not be able to configure it frequently (particularly append or merge). I am willing to learn though if this is the best one.

    Which of the above? Any other that I am not aware of?
     
    Last edited: Feb 25, 2012
  2. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    693
    Location:
    Hogwarts.
  3. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    if you create a rule in your fw for your browser or any other app to block access to microsoft.com and fw lets it through? but not for some other site? How are you creating rules? Not sure what you are aiming for but it might be easiest to use hosts file to block known bad sites
     
    Last edited: Feb 25, 2012
  4. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    165

    I am referring to OA Premium banking mode & OA Premium Domains -> Block. The latter doesn't work outside banking mode.

    Here's the explanation for the first one.
    h**p://support.emsisoft.com/topic/7394-how-exactky-does-banking-mode-work/page__view__findpost__p__45029 Replace the * with t.

    Haven't tried blocking IP. IP blocking does work for Google. Will check Microsoft. But if I am using IP, I'd rather use Hosts file.
     
  5. NSG001

    NSG001 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    617
    Location:
    Wembley, London
  6. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    forticlient, yes forticlient! 12mb in size and by far the best web filter available anywhere and its free.

    during installation you just untick everything apart from the web filter and your good to go. the best part of this program is that you can automatically block all unknown websites and only allow the ones the ones based on their categories list or your own set. the other killer feature is that you can enable certain rules per user account so admins can go on any website and children accounts can only browse within the allowed category, all this can be setup in a couple or so minutes.

    you can apply custom blocks per individual windows user accounts

    very nice program
     
  7. marktor

    marktor Registered Member

    Joined:
    Dec 4, 2011
    Posts:
    143
    I agree with the other poster. OpenDNS is one of the best ways to block sites. Host files are very good at this well. I know you say you are not very technical. This tool: http://sordum.3eeweb.com/?p=7593 makes it easy to block particular websites by editing the host file. It is explained in the link above even.
     
  8. BlownPC

    BlownPC Registered Member

    Joined:
    Feb 26, 2012
    Posts:
    3
    Location:
    Brazil
  9. zip

    zip Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    359
    Location:
    Mars
    Norton DNS and Outpost Security Suite Free are good at blocking bad sites.
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Not if the avboy doesn't wish to block other websites, due to sharing the same IP.

    I believe a future version of PeerBlock will be coded pretty much from scratch, and will work different. One difference being the option to choose which processes to block and tie domains to IPs.

    But, the current version it's either all or nothing. You can allow IPs, but it will allow any domain that shares that IP/those IPs.
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Without switching firewalls, then either by using the hosts file or using an application that filters domains. Or, as you mentioned extensions for the browser; but, in this case it would only be good to prevent the web browser from accessing those domains, and wouldn't prevent any other process from accessing those websites.

    NoVirusThanks Socket Sentinel Pro has such functionality; but, it also has more functionality you may not need.

    It's a beta application at the moment. You could give it a try: -http://www.novirusthanks.org/product/socket-sentinel-pro/

    It depends on what exactly you're wishing to do. Do you wish to block only the web browser? Most likely that's what you wish, because you mentioned those extensions.

    At the moment I can't think of anything else.
     
  12. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    176
    The proble with using the hosts file is, it's not very clever. It's fine if you just want to block a single site, eg,:

    127.0.0.1 somesite.com

    but if you want to block subdomains for the site, you have to add individual entries, eg.:

    127.0.0.1 subdomain1.somesite.com
    127.0.0.1 subdomain2.somesite.com
    127.0.0.1 somesite.subdomain1.com

    and so on. Obviously, not a big problem if there's only one or two subdomains, but try doing that for something like *.doubleclick*.* Basically, the hosts file doesn't support wildcards.

    Another solution is to use something like Acrylic DNS Proxy which does allow wildcards. It also offers additional benefits for those looking for a local DNS cache, but don't want to use BIND or Unbound.

    Code:
    #############################################################################
    #                                                                           #
    # IF YOU MAKE ANY CHANGES TO THIS FILE YOU HAVE TO RESTART THE ACRYLIC DNS  #
    # PROXY SERVICE IN ORDER TO SEE THEIR EFFECTS.                              #
    #                                                                           #
    # This is the AcrylicHosts.txt file.                                        #
    #                                                                           #
    # It contains predefined mappings between names and addresses exactly the   #
    # same way the native HOSTS file does.                                      #
    #                                                                           #
    # The format is: IPADDRESS HOSTNAME1 [HOSTNAME2] [HOSTNAME3] ...            #
    #                                                                           #
    # Where IPADDRESS is in quad-dotted notation and HOSTNAMES are strings.     #
    #                                                                           #
    # The separator between IPADDRESS and HOSTNAMES can be any number of spaces #
    # or tabs or both. If the HOSTNAMES contain the special characters '*' and  #
    # '?' a (slow) "dir" like pattern matching algorithm is used instead of a   #
    # (fast) binary search within the list of host names:                       #
    #                                                                           #
    # 127.0.0.1 ad.* ads.*                                                      #
    #                                                                           #
    # If a HOSTNAME starts with the '/' character instead it is treated like a  #
    # regular expression (also very slow compared to a binary search):          #
    #                                                                           #
    # 127.0.0.1 /^ads?\..*$                                                     #
    #                                                                           #
    # Note: More info about the regular expression engine and its syntax can be #
    # found at: http://regexpstudio.com                                         #
    #                                                                           #
    # It is also possible to specify exceptions when regular expressions or     #
    # pattern based matching is used. If for example we would like to filter    #
    # out all ads.* like domains except for the ads.test1 and the ads.test2 we  #
    # should write:                                                             #
    #                                                                           #
    # 127.0.0.1 ads.* -ads.test1 -ads.test2                                     #
    #                                                                           #
    # Note: A line starting with the '#' character (and everything after it if  #
    # it's found within a line) is considered a comment and therefore ignored.  #
    #                                                                           #
    #############################################################################
     
  13. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Code:
    ...
    # or tabs or both. If the HOSTNAMES contain the special characters '*' and  #
    # '?' a (slow) "dir" like pattern matching algorithm is used instead of a   #
    # (fast) binary search within the list of host names:                       #
    
    I use regex in my blocking with the SimpleBlock extension for Firefox and in Privoxy. I'm not sure that the "very slow compared to a binary search" part is really noticeable. All the same, I try to keep regex to a minimum.
     
    Last edited: Feb 27, 2012
  14. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    the best way is hosts file..
    add 127.0.0.1 sitetobeblocked . com

    soo simple;)
     
  15. Circe

    Circe Registered Member

    Joined:
    May 10, 2011
    Posts:
    138
    Location:
    Cheshire, England
    I've tried a lot of web site blockers/filters because I have two teenage boys.The one that worked for me and IMHO is superior to them all is K9 WEBPROTECTION http://www1.k9webprotection.com/ it is free: K9 Features to protect your children:
    Web site blocking by category, including pornography, illegal drugs, personals/dating, violence/hate/racism
    Easy pre-set levels to choose from depending on the age of your children
    SafeSearch enabled on all search engines to show cleaner search results
    Time restrictions, including NightGuard(tm), to disallow internet access during designated times
    Custom “always allow” and “always block” lists for your personal preferences
    Ability to override a block with the parent password
    Tamper resistant for more savvy kids
    Reports showing activity to categories of web sites
    Real-time categorization of new web sites
    Compatible with Windows or Mac machines
    Block web sites in more than 70 categories, including pornography, gambling, drugs, violence/hate/racism, malware/spyware, phishing
    Force SafeSearch on all major search engines
    Set time restrictions to block web access during designated times
    Configure custom lists for "always allow" and "always block"
    Override a web page block with password
    Trust the enhanced anti-tampering, even children can't break
    View easy reports to monitor and control web activity
    Real-time categorization of new adult and malicious sites
    Best free parental controls software/internet filter available
    Compatible with Windows or Mac machines
    If you want a filter that works this is one to think about, its free.
    edit: don't rely on outpost to block web sites. yes Outpost will block the odd page but K9 blocks 99.99%
     
  16. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,890

    Attached Files:

    Last edited: Feb 29, 2012
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
  18. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,890
    I don't know, but it won't matter. I'll add yours, too. Thanks!:thumb:
     
  19. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    165
    First, thanks to all of you for your replies! Quite a few options as I can see.

    Initially I used OA Premium for everything, including blocking domains. Now that domain blocking is not working I am trying to put multiple level approach.

    First I've used hosts file. But as Heimdall mentioned, wildcards, at least at the middle or end are not supported. So I'll look at Acrylic DNS Proxy.

    Next, I have also used IP blocking in firewall. Wish I could create different firewall profiles like locked down, default deny with allow only list, default allow with deny only list (like hosts file) etc. E.g. I dont like Google, but can't put it hosts file, as someone here wants to use Google based sites. So I change the firewall blocked IPs everytime.


    Special thanks to m00nbl00d. Will check the beta. Yes you are right. Looking at browser only as
    i. I expect firewall to prompt me for other apps and
    ii. my Sandbox runs with net access for browser only.

    Will also use the Chromium with command line option for default allow to specific sites as mentioned by you in the other thread.


    BlownPC: thanks for the Hostsman link.

    treehouse786 and Circle: I'll check forticlient and k9, but prefer to do it through "in house" tweaking like hosts file or keeping app levels to minimum. So if its available with a combo of existing SBIE, OA Premium & hosts file, its better.

    Will also check openDNS as suggested by some of you.
     
  20. NSG001

    NSG001 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    617
    Location:
    Wembley, London
    Thanks for the clarification, much appreciated :thumb:
     
  21. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    I think you'll like Acrylic DNS Proxy. I've been using it for years and have no complaints.
     
  22. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    165
    Emphasizing on my limited tech knowledge, let me try to carry this forward.

    1. How does Acrylic DNS work? I have read the FAQ page. I wish to know the sequencing. And does it replace the Hosts file or is it Acrylic DNS -> Windows Hosts file -> DNS servers? Or Hosts file -> Ac. DNS -> DNS Servers?

    2. When does the host file come into picture? Is it only during resolution from the browser or even from any application (e.g. a program using WinHTTP)? Or do the application requests, other than domain name resolution from browsers go directly to the DNS servers, bypassing the hosts file?

    Thanks
     
  23. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    165
    My doubts here are:

    1. Is it correct to say that hosts file can be bypassed if a connection is opened directly to a specific IP like 174.93.x.x:80 instead of using a domain name?

    2. Can programs piggyback on svchost.exe to connect to the Net, which the firewall wont detect (as I have svchost in allowed list).

    So what is a good option in in such cases?
    1. Only allowing browser connections to specific IPs by firewall (or using command line parameters in chromium as shown by m00nbl00d) and prevent ALL other connections.
    2. Mapping the domain name (of say my bank) to that specific IP in Hosts file (or using Acrylic DNS and its advanced features to allow only that domain and block all other domains) .
    3. Lock down all other apps (like allow only browser to run and access internet in sandboxie)? But still svchost.exe and a few others will run and may to access the Net.

    In that case something like Appguard will be required. And a firewall that blocks ALL connections except to a few IPs list. And that is a big cause of cncern for me.
     
    Last edited: Mar 6, 2012
  24. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    I dont know if or what av you use but avast free has a site blocking feature under additional protection if you ever wanted to try it..You have to put the sites in manually but it does support *wildcards ,so you could put in *facebook mask and it blocks all instances in all browsers.You can also password protect avast if the filtering is for the kids.If you do try it ,bear in mind that current avast seems to be work in progress and some havent had any problems and some have.
    http://techdows.com/wp-content/uploads/2011/01/block-sites-using-Avast.png
     
  25. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,089
    In terms of DNS checks, what are the desirable steps? I'm rusty, but off the top of my head I'd think it could be something like:

    Block operation to $targetHostname if $targetHostname matches $pattern *or* $targetHostname has a CNAME which matches $pattern *or* a reverse DNS lookup on the IP Address of $targetHostname matches $pattern.

    There is some work there, and I'm wondering if any of the DNS oriented solutions actually go so far.
     
    Last edited: Mar 10, 2012
Loading...
Thread Status:
Not open for further replies.