Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allow facebook messenger application in phone and laptop.

    Scheduled Pinned Locked Moved pfBlockerNG
    5 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      romarinas
      last edited by

      Hi Master,

      I already blocked Facebook but I can't login to messenger. I already allowed this dns in whitelist;
      .apps.facebook.com
      .orcart.facebook.com
      .fbstatic-a.akamaihd.net
      .api.facebook.com
      .orcart.facebook.com
      .fbexternal-a.akamaihd.net
      .fbcdn-profile-a.akamaihd.net
      .graph.facebook.com
      .static.xx.fbcdn.net # 123
      .scontent.xx.fbcdn.net # CNAME for (static.xx.fbcdn.net)
      .edge-mqtt.facebook.com # mssg
      .mqtt.c10r.facebook.com # CNAME for (edge-mqtt.facebook.com

      but still the problem persist. Seeking your help.

      M 1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @romarinas
        last edited by

        @romarinas confused. You don’t want .Facebook.com but you do want to use messenger app?
        If you want to make an exception for a single machine on your LAN then you can use python mode. That IP will be able to be sinkholed tho

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        GertjanG 1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @michmoor
          last edited by

          @michmoor said in Allow facebook messenger application in phone and laptop.:

          If you want to make an exception for a single machine on your LAN then you can use python mode. That IP will be able to be sinkholed tho

          That 'was' the good advise.
          Then this popped up : Problem with Python Group Policy - Cached Domains

          The device member of the Policy list will bypass pfBlockerng.
          The requested host name will be resolved.
          This host name will be stored in the unbound cache ....
          And now its available for all other, non policy listed devices also, as pfBlockerng can stop the resolving, not serving from the unbound DNS cache.

          @romarinas said in Allow facebook messenger application in phone and laptop.:

          I already blocked Facebook but I can't login to messenger. I already allowed this dns in whitelist;

          Don't stop there !
          You have the IP of the device on which messenger is running.
          Use pfSense : packet capturing, and get these DNS (and other ?) packets) and see what it asking for.
          It didn't get it, so no ligin.

          Btw : probably it's asking for *.facebook.com as "blocking facebook" but permitting "messenger" is like asking for apples, but you've cut down the apple tree ^^

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          M 1 Reply Last reply Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @Gertjan
            last edited by

            @Gertjan said in Allow facebook messenger application in phone and laptop.:

            And now its available for all other, non policy listed devices also, as pfBlockerng can stop the resolving, not serving from the unbound DNS cache.

            I had no idea about this. Interesting......

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            M 1 Reply Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @michmoor
              last edited by

              @Gertjan Without modifying the TTL like you did it makes python group whitelisting kinda pointless.....

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.