How to block facebook???

remiki

Thank you, but can't you help me about HAVP????  or if by giving just some Focus cuz i'm a new commer in PFSENSE.
i mean, Wich Option can i start???

System
Interfaces
Firewall
Services
VPN
Status
Diagnostics

by there i can understand how to go on

Cmellons

Use the system tab and click packages. Then press ctrl F and type what you want to look for and this would be HAVP. Click the + sign to install the package. There are so many good packages for Pfsense as you can see but the problem will always be how difficult it is to set up. I would really recommend that you get the new Pfsense 2.1 handbook. Also, from what most tell me, for now just always choose something that is a stable release. When you get more advanced and confident then go for the betas. Another package that would be fun to try is called Pfblocker and this program works very similar to peerguardian and you can find websites to  add your own blocklists or you can just use the defaults. I would just stay with the simple packages for now. Basically, when choosing packages, think about something that may suit your needs.

Another more simple way to do things is just ping whatever site that you don't want to be accessed and get the IP.
Then in pfsense just go to Firewall rules and make a rule like this:

Interface LAN , Protocol ANY, Source Lan Subnet, Destination Single HOST or IP address and type in the IP address and at the bottom click save.

Also you need to understand how firewall rules work. The rules always work in order meaning that if right now you have the Default antilockout rule and the Allow Lan to any rule(Please change that for your firewall.). The block rule that you create will have to go in between them. I would also suggest looking at this basic configuration to get you started because a firewall is no good without good rules so just follow exactly what it says. https://doc.pfsense.org/index.php/Example_basic_configuration

Finger79

Another way is to do it at the DNS level.  Sign up for an OpenDNS account, block Facebook, and point your pfSense DNS to OpenDNS servers (and disallow WAN overwrite).  If you want to also take it to the next level, block all outbound traffic to TCP/UDP 53 and also allow all local DNS requests to pfSense.

– or --

I searched around the Web for Facebook's IP range and found a decent list.  For me, I wanted to "Allow" Facebook for myself, but you can use the same Alias and simply deny access to those IPs.  Here's my list right now:

31.13.24.0/21
31.13.64.0/24
31.13.65.0/24
31.13.66.0/24
31.13.67.0/24
31.13.68.0/24
31.13.69.0/24
31.13.70.0/24
31.13.71.0/24
31.13.72.0/24
31.13.73.0/24
31.13.74.0/24
31.13.75.0/24
31.13.76.0/24
31.13.77.0/24
31.13.78.0/24
31.13.79.0/24
31.13.80.0/24
31.13.82.0/24
31.13.83.0/24
31.13.84.0/24
31.13.85.0/24
31.13.87.0/24
31.13.88.0/24
31.13.89.0/24
31.13.90.0/24
31.13.91.0/24
31.13.92.0/24
31.13.93.0/24
31.13.94.0/24
31.13.95.0/24
31.13.96.0/32
66.220.144.0/24
66.220.152.0/24
66.220.159.0/24
69.171.224.0/24
69.171.239.0/24
69.171.240.0/24
69.171.253.0/24
69.171.255.0/24
69.63.176.0/24
69.63.178.0/24
69.63.184.0/24
69.63.186.0/24
74.119.76.0/24
103.4.96.0/24
173.252.64.0/24
173.252.70.0/24
173.252.96.0/24
204.15.20.0/24

You can copy and paste that into a new "Facebook" alias (Click the button "Bulk import aliases from list") then make a rule on LAN interface and block all traffic to Facebook alias.

You can also try -- as others have suggested -- using various proxy type blocks and content filtering.

phil.davis

We get the current FaceBook list of subnets by running this on a Unix/Linux box in a cron job each day:

whois -h whois.radb.net -- '-i origin AS32934' | grep ^route | grep -v route6 | cut -d" " -f7 > /var/www/block_lists/facebook.txt

Then on pfSense(s) make a URL table alias that points to that the facebook.txt file, then use the alias in rules as needed.

The magic numbers for the "whois" are documented towards the bottom of this FaceBook developer page: https://developers.facebook.com/docs/ApplicationSecurity/

nothing

Why don't you use DNS forwarder and add DNS A record *.facebook.com to 127.0.0.1 for example?
To avoid using foreign DNS servers by the clients add a NAT rule to catch everything on TCP/UDP 53 and DNAT it to the pfsense box.
Much simpler and cleaner than using proxy I think :)

lsense

phil.davis is right, that's the proper solution.

@Finger79: IP lists may change

@nothing: it depends on how much your users are motivated. the can run their own local dns server for 'facebook.com' or just a put it in /etc/hosts or similar - i.e. no dns queries to your pfsense box.

Finger79

Is there a way to run this cron WHOIS job on the pfSense box itself (such as the "cron" package)?  Otherwise I'm stuck with a static alias with CIDR nets.

senser

@Finger79:

Is there a way to run this cron WHOIS job on the pfSense box itself (such as the "cron" package)?  Otherwise I'm stuck with a static alias with CIDR nets.

Yeah, the cron package adds a crontab editor to pfSense. AFAIK you'll also need some whois package from the freeBSD repository, at least on my nanoBSD 2.1 system there was no whois by default.

@nothing:

Why don't you use DNS forwarder and add DNS A record *.facebook.com to 127.0.0.1 for example?
To avoid using foreign DNS servers by the clients add a NAT rule to catch everything on TCP/UDP 53 and DNAT it to the pfsense box.
Much simpler and cleaner than using proxy I think :)

Clients may still have a useable DNS cache (eg in a public network). In my open wlan I use both options together.

senser

@phil: do url tables get updated on a regular basis? I mean.. assuming you run a cronjob to update the list, how would the table itself be updated? Currently I use the pfBlocker package to create the alias from the file, as you can select to update the alias on a regular basis.

(BTW, might be of value to someone: it is possible to specify a file:// url in the url table setup to create the list from a local txt file)

phil.davis

Looks like it is checked/updated at 12:30 each day - see screenshot. You could modify the frequency of that Cron job to whatever you want.

senser

Hmm THX! There even is an update frequency selector field in the url-table setup. It must have been hidden before! :P

Darkk

@phil.davis:

We get the current FaceBook list of subnets by running this on a Unix/Linux box in a cron job each day:

whois -h whois.radb.net -- '-i origin AS32934' | grep ^route | grep -v route6 | cut -d" " -f7 > /var/www/block_lists/facebook.txt

Then on pfSense(s) make a URL table alias that points to that the facebook.txt file, then use the alias in rules as needed.

The magic numbers for the "whois" are documented towards the bottom of this FaceBook developer page: https://developers.facebook.com/docs/ApplicationSecurity/

The above steps are brilliant!  With those IPs blocked at the firewall and keeping the blocks updated there is no way the clients can reach them regardless of what they do on their PCs.

killmasta93

phil.davis i just wanted to thank you amazing. On a side note im able to block it but is it possible to enable a whitelist? to allow myself?

Thank you

EDIT:

To allow certain users create an alias called allow then tick on host and enter the ip of the users that will have access.

then go to firewall–Rules--LAN and edit the facebook rule to the screen shot.

Hope this helps

almabes

@killmasta
If you can make a block rule, you can make an allow rule.  Just put your allow rule above the block rule on whatever interface your wanting to block facebook on.