PfBlockerNG and facebook - whoops



  • I had a pfblocker ipv4 alias setup on my pfsense that enabled me to selectively block certain IPs from accessing facebook - or rather block everyone and allow certain IPs through by defining a floating rule.

    After upgrading to 2.3.2 I got loads of errors about alias not defined and problems finding files in pfblocker so I wiped the package and reinstalled, not remembering settings.

    Like an idiot I didn't keep a note of the source URL to find the current facebook ip addresses, and I can't exactly recall how I set it up originally. Is there a pointer somewhere as I must have got the above from a tutorial or another thread somewhere, and searching hasn't helped!

    many thanks
    Rob



  • Try blocking facebook by ASN

    AS63293
    AS54115
    AS32934

    Add one per IPv4 source line and give each a unique header



  • For future searches, and also in case anyone wants to comment, here is the pfBlockerNG IPv4 setup screen that I ended up with that blocked facebook.

    I also added a floating rule to allow certain users access, which so far seems to be working OK






  • @robatwork:

    For future searches, and also in case anyone wants to comment, here is the pfBlockerNG IPv4 setup screen that I ended up with that blocked facebook.

    I also added a floating rule to allow certain users access, which so far seems to be working OK

    FYI can set it to Deny Outbound for internet traffic, just adds overhead when selecting both.



  • @tonymorella:

    FYI can set it to Deny Outbound for internet traffic, just adds overhead when selecting both.

    Thanks for the reply Tony. I did (idly) wonder about that when setting - this way I am protected from all those evil facebook employees planning to hack my firewall  :D

    The hardware I have pfsense on is pretty modern - AMD FX™-4350 Quad-Core Processor on a gaming spec motherboard with an SSD and it's never overloaded or gets too warm (gotta love that dashboard!).


  • Moderator

    You only need to add rules on the WAN (Inbound) if you have open WAN ports… and best to only protect those ports... Can use the Adv. Inbound Rule Settings for that also...

    pfSense is a stateful firewall by design... So by default everything is an implicit deny on the WAN... and only a request on the LAN outbound, will create a firewall state entry that allows the re-entry thu the firewall on the WAN...



  • @BBcan177:

    You only need to add rules on the WAN (Inbound) if you have open WAN ports… and best to only protect those ports... Can use the Adv. Inbound Rule Settings for that also...

    pfSense is a stateful firewall by design... So by default everything is an implicit deny on the WAN... and only a request on the LAN outbound, will create a firewall state entry that allows the re-entry thu the firewall on the WAN...

    I do have some open ports forwarded - admittedly restricted to a few selected IP addresses with an alias.
    Thanks



  • Does this mean facebook no longer uses AS63293?  or is it just temporarily not listing ip's?

    [ Whoisfb2 ] Downloading update .. completed ..
      Empty file, Adding '1.1.1.1' to avoid download failure.



  • My boss wants to allow facebook, and this info helps a lot.

    I've set up the IP4 rule in pfBlockerNG as presented earlier (thanks), but I'm not getting all pictures though.

    I do have a couple of questions:

    1)  Are my changes supposed to be taking effect when I force update?  or only when I reboot?  (I seem to get different results at times)
    2)  Should I permit Outbound only?  or Both?
    3)  Should I allow the IP6 range for facebook?  see  (http://bgp.he.net/search?search[search]=facebook&commit=Search for list)

    I have tried all the above, but still missing a lot of pictures.

    facebook does work fine when i disable pfBlockerNG.

    P.S.  I've also turned on Alexa 1k whitelist…perhaps bumping that up would help?  But at what cost?