How to block facebook???
-
We get the current FaceBook list of subnets by running this on a Unix/Linux box in a cron job each day:
whois -h whois.radb.net -- '-i origin AS32934' | grep ^route | grep -v route6 | cut -d" " -f7 > /var/www/block_lists/facebook.txtThen on pfSense(s) make a URL table alias that points to that the facebook.txt file, then use the alias in rules as needed.
The magic numbers for the "whois" are documented towards the bottom of this FaceBook developer page: https://developers.facebook.com/docs/ApplicationSecurity/
-
Why don't you use DNS forwarder and add DNS A record *.facebook.com to 127.0.0.1 for example?
To avoid using foreign DNS servers by the clients add a NAT rule to catch everything on TCP/UDP 53 and DNAT it to the pfsense box.
Much simpler and cleaner than using proxy I think :) -
-
Is there a way to run this cron WHOIS job on the pfSense box itself (such as the "cron" package)? Otherwise I'm stuck with a static alias with CIDR nets.
-
Is there a way to run this cron WHOIS job on the pfSense box itself (such as the "cron" package)? Otherwise I'm stuck with a static alias with CIDR nets.
Yeah, the cron package adds a crontab editor to pfSense. AFAIK you'll also need some whois package from the freeBSD repository, at least on my nanoBSD 2.1 system there was no whois by default.
Why don't you use DNS forwarder and add DNS A record *.facebook.com to 127.0.0.1 for example?
To avoid using foreign DNS servers by the clients add a NAT rule to catch everything on TCP/UDP 53 and DNAT it to the pfsense box.
Much simpler and cleaner than using proxy I think :)Clients may still have a useable DNS cache (eg in a public network). In my open wlan I use both options together.
-
@phil: do url tables get updated on a regular basis? I mean.. assuming you run a cronjob to update the list, how would the table itself be updated? Currently I use the pfBlocker package to create the alias from the file, as you can select to update the alias on a regular basis.
(BTW, might be of value to someone: it is possible to specify a file:// url in the url table setup to create the list from a local txt file)
-
Looks like it is checked/updated at 12:30 each day - see screenshot. You could modify the frequency of that Cron job to whatever you want.
-
Hmm THX! There even is an update frequency selector field in the url-table setup. It must have been hidden before! :P
-
We get the current FaceBook list of subnets by running this on a Unix/Linux box in a cron job each day:
whois -h whois.radb.net -- '-i origin AS32934' | grep ^route | grep -v route6 | cut -d" " -f7 > /var/www/block_lists/facebook.txtThen on pfSense(s) make a URL table alias that points to that the facebook.txt file, then use the alias in rules as needed.
The magic numbers for the "whois" are documented towards the bottom of this FaceBook developer page: https://developers.facebook.com/docs/ApplicationSecurity/
The above steps are brilliant! With those IPs blocked at the firewall and keeping the blocks updated there is no way the clients can reach them regardless of what they do on their PCs.
-
phil.davis i just wanted to thank you amazing. On a side note im able to block it but is it possible to enable a whitelist? to allow myself?
Thank you
EDIT:
To allow certain users create an alias called allow then tick on host and enter the ip of the users that will have access.
then go to firewall–Rules--LAN and edit the facebook rule to the screen shot.
Hope this helps
-
@killmasta
If you can make a block rule, you can make an allow rule. Just put your allow rule above the block rule on whatever interface your wanting to block facebook on.