How to block web pages

I block myself from certain web pages because I find they hinder my productivity or because I'm mad at them for some long-forgotten reason.

The original way I blocked web pages was to make changes to the hosts file at the location below.  You'll need to run notepad as administrator and then open the "hosts" file (no extension).

C:\Windows\System32\drivers\etc\hosts

The operating system resolves DNS names to host names by first looking in the hosts file and then doing a DNS lookup on your configured DNS server.  Recall that 127.0.0.1 is your local host.  So if you add lines like the ones below, you tell the operating system to look to itself when it attempts to open web pages like the ones I specified here:

127.0.0.1 i.imgur.com
127.0.0.1 imgur.com

127.0.0.1 www.digg.com
127.0.0.1 digg.com

This blocks your computer from accessing the websites specified above.  If you ping the hostnames, you'll see it resolves to 127.0.0.1.

This used to work - and still does.  However, SOME browsers now bypass local DNS lookups from the operating system and do lookups by themselves using https and protocols other than the traditional DNS lookup.  The idea here is that it prevents third parties from snooping on your hostname lookups in clear text, forcing the browser to use https instead.  The problem with this approach is that it breaks decades of traditional hostname resolution.  The browser no longer honors my local hosts file.  You can disable the feature - details here:

https://support.mozilla.org/en-US/kb/firefox-dns-over-https

Thinking about this... what if you want to block only certain websites but still want the advantage of secure lookups?

Here is a way. You can force Firefox to block websites by adding domain names to a local policy file here:

C:\Program Files\Mozilla Firefox\distribution\policies.json

You'll need to run notepad as admin and then open the file.  Create the following block of config code:

{
  "policies": {
    "WebsiteFilter": {
      "Block": ["*://*.evilcorp.com/*",
"*://*.googlesucks.org/*",
"*://*.facebook.com/*"]
    }
  }
}

The code above would block evilcorp.com, googlesucks.org, and facebook.com

Notice when commas are needed and when they are not.  The last line does not need a comma.

Once you create the file, save it, make sure you closed out of Firefox, and then launch a new Firefox window.  Go to the offending website and it should tell you that it is blocked.

Chrome and Edge probably have similar mechanisms.  I only use Firefox for my general web browsing, so I only figured it out on Firefox.

Cisco 137 - Ansible, Puppet, and Chef

Ansible
Model: PUSH = Agentless
Action file: Playbook
Protocols: SSH & NETCONF
Uses YAML.
Written in Python.

Puppet
Model: PULL = Requires Agent (or proxy)
Action file: Manifest
Protocols: HTTPS(REST) TCP port 8140
Written in Ruby

Example of Puppet DSL resource declaration:

sudo::conf { 'CoAdmins':
ensure    => present,
content    => '%admin ALL=(ALL) ALL',
}

Chef
Model: PULL = Requires Agent
Action file: Recipe, Runlist
Protocols: HTTPS(REST) TCP port 10002
Written in Ruby

Example of Chef recipe:
sudo "CoAdmins"
    group "CoAdmins"
    nopasswd true

Ansible's playbooks use an imperative language, whereas Puppet uses a declarative language.

Adoption numbers:

Wendell Odom's book says Ansible > Puppet > Chef

Jeremy says Ansible is the most popular choice for network device config management

Boson ExSim says Puppet is most mature and widely used

 

Cisco 136 - Python lists and dictionaries

list1 = [ "g0/0", "g0/1", "g0/2" ]

dictionary1 = { "config_speed" : 'auto',

    "config_duplex" : "auto",

    "config_ip" : "10.1.1.1" }

 

^ Notice dictionary uses key:value pairs

 

Cisco 135 - CRUD and REST

CRUD - REST (HTTP) Verb

Create    POST

Read    GET

Update    PATCH, PUT

Delete    DELETE

Cisco 134 - JSON, XML, YAML

---------------> JSON <---------------

JavaScript Object Notation
Attempts to strike balance between human-readable & machine readability
{
  “response” : {
    “type” : “Cisco Catalyst 9300”,
    “family” : “Switches”,
    “macAddr” : “f8:7b:20:67:62:80”
  }
}

Key:Value Pair
Value types:
- Text
- Numeric
- { } Object - Series of key:value pairs
- [ ] Array – Series of values (not key:value pairs)

Example of JSON Array:
[
“Fred”,
“Wilma”,
“Barney”
]

Example of JSON Object:
{
    “Parents”: [
        “Fred”,
        “Wilma”,
        “Barney”,
        “Betty”
    ],
    “Children”: [
        “Pebbles”,
        “Bambam”
    ]
}
^ This JSON object has two arrays within.

---

---------------> XML <---------------

eXtensible Markup Language
<?xml version = “1.0”>
<root>
    <blah>
        <blah1>
        <blah2>
        <blah3>
    </blah>
</root>

---

---------------> YAML <---------------

YAML Ain’t Markup Language
Used heavily in Ansible
#Comment about Playbook
-name: Get IOS Facts
    hosts: mylab
    vars:
        host:  “{{ ansible_host }}”
        username: “{{ username }}”
tasks:
    - ios_facts:
        gather_subset: all
        provider: “{{ cli }}”

Cisco 133 - DAI = Dynamic ARP Inspection

Recall that ARP = Address Resolution Protocol.
It translates IP addresses to MAC addresses.

ARP Request/
ARP Reply

Gratuitous ARP - An ARP reply sent without receiving an ARP request.
Sent to the broadcast MAC address.
Allows other devices to learn the MAC address of the sending device without them having to send ARP requests.
Some devices automatically sent GARP messages when interface is enabled, IP address changes, or the MAC address changes.

DAI (Dynamic ARP Inspection) is a security feature of switches that is used to filter ARP messages received on *untrusted* ports.
Only filters ARP messages.  Non-ARP messages are not affected.

By default, all ports are *untrusted*.

Recommendation: All ports connected to other network devices (switches, routers) should be configured as *trusted*.  Interfaces connected to end hosts should be *untrusted*.

DAI inspects the sender MAC and sender IP fields of ARP messages received on untrusted ports and checks that there is a matching entry in the DHCP snooping binding table.

SW1#show ip dhcp snooping binding
^ Displays a 1:1 mapping of MAC addresses to IP addresses and which VLAN and Interface the belong to.

If there is a matching entry, the switch forwards the message normally.
If no matching entry, the ARP message is discarded.

ARP ACLs can be manually configured to map IP address/MAC addresses for DAI to check.  This is needed for hosts that don't use DHCP.

DAI can be configured to perform more in-depth checks.  It also supports rate-limiting.

SW2(config)#ip arp inspection vlan 1
^ Enables DAI on VLAN 1.  
No global config.
You'll need to enable it on each VLAN used.

SW2(config#)ip arp inspection vlan 1
SW2(config#)int range g0/0 - 1
SW2(config-if-range)#ip arp inspection trust
^ Set of commands turns on DAI for VLAN 1 and then sets the range of interfaces specified as trusted.

SW1#show ip arp inspection interfaces
^ Displays all interfaces and whether they are trusted or untrusted.  Also shows allowed rate (packets per second) and allowed burst interval (X packets per Y seconds).

If ARP messages are received faster than permitted, default is to shut down the interface with err-disabled.
To re-enable:
- shut/no shut
- errdisable recovery cause arp-inspection

Optional checks:

SW1#(config)#ip arp inspection validate <type>
Where <type> can be:
dst-mac = Validate destination MAC address
ip = Validate IP address
src-mac = Validate source MAC address

If you want all three, you must specify all three on the same command line:
SW1#(config)#ip arp inspection validate dst-mac ip src-mac
^ Configures all three deeper inspection types.

You'll need to add non-DHCP clients to the dhcp snooping binding table:

SW2(config)#arp access-list ARP-ACL-1
^ Create an ACL
SW2(config-arp-nacl)#permit ip host 192.168.1.100 mac host 0c29.2f1e.7700
^ Define an entry in the ACL
SW2(config)#ip arp inspection filter ARP-ACL-1 vlan 1
^ Applices the ACL to VLAN 1
You'll need to do this on each VLAN as appropriate.

SW2#show ip arp inspection
^ Displays info and statistics about DAI state, configuration, and counters.




[These are my notes from Jeremy's excellent CCNA course which can be viewed here.]

Cisco 132 - DHCP Snooping

Turns on features that look for and discard misbehaving DHCP packets.

Enable on "untrusted" ports (those downstream from the real DHCP server -- typically facing end user devices).

SW2(config)#ip dhcp snooping
^ Globally turn on DHCP Snooping

SW2(config)#ip dhcp snooping vlan 1
^ And turn it on for each VLAN - in this case, VLAN 1.

SW1(config)#no ip dhcp snooping information option
SW2(config)#no ip dhcp snooping information option
^ Turns off the default behavior of both switches to add "Option 82" to DHCP messages they receive from clients.

R1 <--> SW2 <--> SW1 <--> PC1

By default, Cisco switches will drop DHCP messages with Option 82 that are received from an untrusted port.  In a design like the one above, SW1 would (by default) add Option 82 even if it is not the relay agent.  When the upstream switch (SW2) receives this packet from a downstream (untrusted) port, SW2 takes the default behavior which is to drop DHCP messages with Option 82 that are received from an untrusted port.

By running the command above, we tell the switch not to add Option 82.



SW2(config)#int g0/0
SW2(config-if)#ip dhcp snooping trust
^ Configures this port as a "trusted" port.  Trusted ports won't perform DHCP Snooping.  Do this on each port that points "toward" the real DHCP server.

SW1#show ip dhcp snooping binding
^ Displays the DHCP Snooping binding table which is loaded with known DHCP info:
MacAddress - MAC of client
IpAddress - IP given to client
Lease - Length of DHCP lease
VLAN - Which VLAN
Interface - Interface of leased IP configured on a MAC

Rate-Limiting:

SW1(config)#int range g0/1 - 3
SW1(config-if-range)#ip dhcp snooping limit rate 1
^ This limits the DHCP traffic rate to 1 per second.  This is too low in a real network.  If the traffic rate exceeds this number, the interface will be disabled.

Manually re-enable interface with shut/no shut or configure interface to automatically re-enable:

SW1(config)#errdisable recovery cause dhcp-rate-limit
^ Turns on recovery of interface in (default) 300 seconds if reason is surpassing DHCP rate

SW1#show errdisable recovery
^ Confirms automatic recovery is turned on by displaying which errDisable reasons are enabled






[These are my notes from Jeremy's excellent CCNA course which can be viewed here.]