How to block facebook???

Finger79

Another way is to do it at the DNS level.  Sign up for an OpenDNS account, block Facebook, and point your pfSense DNS to OpenDNS servers (and disallow WAN overwrite).  If you want to also take it to the next level, block all outbound traffic to TCP/UDP 53 and also allow all local DNS requests to pfSense.

– or --

I searched around the Web for Facebook's IP range and found a decent list.  For me, I wanted to "Allow" Facebook for myself, but you can use the same Alias and simply deny access to those IPs.  Here's my list right now:

31.13.24.0/21
31.13.64.0/24
31.13.65.0/24
31.13.66.0/24
31.13.67.0/24
31.13.68.0/24
31.13.69.0/24
31.13.70.0/24
31.13.71.0/24
31.13.72.0/24
31.13.73.0/24
31.13.74.0/24
31.13.75.0/24
31.13.76.0/24
31.13.77.0/24
31.13.78.0/24
31.13.79.0/24
31.13.80.0/24
31.13.82.0/24
31.13.83.0/24
31.13.84.0/24
31.13.85.0/24
31.13.87.0/24
31.13.88.0/24
31.13.89.0/24
31.13.90.0/24
31.13.91.0/24
31.13.92.0/24
31.13.93.0/24
31.13.94.0/24
31.13.95.0/24
31.13.96.0/32
66.220.144.0/24
66.220.152.0/24
66.220.159.0/24
69.171.224.0/24
69.171.239.0/24
69.171.240.0/24
69.171.253.0/24
69.171.255.0/24
69.63.176.0/24
69.63.178.0/24
69.63.184.0/24
69.63.186.0/24
74.119.76.0/24
103.4.96.0/24
173.252.64.0/24
173.252.70.0/24
173.252.96.0/24
204.15.20.0/24

You can copy and paste that into a new "Facebook" alias (Click the button "Bulk import aliases from list") then make a rule on LAN interface and block all traffic to Facebook alias.

You can also try -- as others have suggested -- using various proxy type blocks and content filtering.

phil.davis

We get the current FaceBook list of subnets by running this on a Unix/Linux box in a cron job each day:

whois -h whois.radb.net -- '-i origin AS32934' | grep ^route | grep -v route6 | cut -d" " -f7 > /var/www/block_lists/facebook.txt

Then on pfSense(s) make a URL table alias that points to that the facebook.txt file, then use the alias in rules as needed.

The magic numbers for the "whois" are documented towards the bottom of this FaceBook developer page: https://developers.facebook.com/docs/ApplicationSecurity/

nothing

Why don't you use DNS forwarder and add DNS A record *.facebook.com to 127.0.0.1 for example?
To avoid using foreign DNS servers by the clients add a NAT rule to catch everything on TCP/UDP 53 and DNAT it to the pfsense box.
Much simpler and cleaner than using proxy I think :)

lsense

phil.davis is right, that's the proper solution.

@Finger79: IP lists may change

@nothing: it depends on how much your users are motivated. the can run their own local dns server for 'facebook.com' or just a put it in /etc/hosts or similar - i.e. no dns queries to your pfsense box.

Finger79

Is there a way to run this cron WHOIS job on the pfSense box itself (such as the "cron" package)?  Otherwise I'm stuck with a static alias with CIDR nets.

senser

@Finger79:

Is there a way to run this cron WHOIS job on the pfSense box itself (such as the "cron" package)?  Otherwise I'm stuck with a static alias with CIDR nets.

Yeah, the cron package adds a crontab editor to pfSense. AFAIK you'll also need some whois package from the freeBSD repository, at least on my nanoBSD 2.1 system there was no whois by default.

@nothing:

Why don't you use DNS forwarder and add DNS A record *.facebook.com to 127.0.0.1 for example?
To avoid using foreign DNS servers by the clients add a NAT rule to catch everything on TCP/UDP 53 and DNAT it to the pfsense box.
Much simpler and cleaner than using proxy I think :)

Clients may still have a useable DNS cache (eg in a public network). In my open wlan I use both options together.

senser

@phil: do url tables get updated on a regular basis? I mean.. assuming you run a cronjob to update the list, how would the table itself be updated? Currently I use the pfBlocker package to create the alias from the file, as you can select to update the alias on a regular basis.

(BTW, might be of value to someone: it is possible to specify a file:// url in the url table setup to create the list from a local txt file)

phil.davis

Looks like it is checked/updated at 12:30 each day - see screenshot. You could modify the frequency of that Cron job to whatever you want.

senser

Hmm THX! There even is an update frequency selector field in the url-table setup. It must have been hidden before! :P

Darkk

@phil.davis:

We get the current FaceBook list of subnets by running this on a Unix/Linux box in a cron job each day:

whois -h whois.radb.net -- '-i origin AS32934' | grep ^route | grep -v route6 | cut -d" " -f7 > /var/www/block_lists/facebook.txt

Then on pfSense(s) make a URL table alias that points to that the facebook.txt file, then use the alias in rules as needed.

The magic numbers for the "whois" are documented towards the bottom of this FaceBook developer page: https://developers.facebook.com/docs/ApplicationSecurity/

The above steps are brilliant!  With those IPs blocked at the firewall and keeping the blocks updated there is no way the clients can reach them regardless of what they do on their PCs.

killmasta93

phil.davis i just wanted to thank you amazing. On a side note im able to block it but is it possible to enable a whitelist? to allow myself?

Thank you

EDIT:

To allow certain users create an alias called allow then tick on host and enter the ip of the users that will have access.

then go to firewall–Rules--LAN and edit the facebook rule to the screen shot.

Hope this helps

almabes

@killmasta
If you can make a block rule, you can make an allow rule.  Just put your allow rule above the block rule on whatever interface your wanting to block facebook on.