Not able to block facebook website

rajukarthik

Hi Team,

I had blocked www.facebook.com by adding url in the alias and then added that alias in the Firewall rule.![alt text] fb community.png
Screenshot of Firewall rule is attached below. fb rule1.png
fb rule2.png .

For sometimes Facebook was blocked but later it has become accessible.

Kindly advise me to block the websites permanently.

Thanks in advance.
Regards,
Karthik

jrey

@rajukarthik

https://forum.netgate.com/topic/115580/using-pfblockerng-for-blocking-facebook-and-google

rajukarthik

@jrey I tried it but still facebook is accessible. Could you please help.

jrey

@rajukarthik

did you force reload the DNSBL after making the list
is your client (web browser) using the NetGate as the DNS?
You may need to flush the DNS cache on the client if applicable.

what is the client ?

What happens from the NG if you do a DNS Lookup from the Diagnostics menu? if you have entered "facebook.com" on the custom DNSBL list. try both facebook.com and www.facebook.com
both should show 0.0.0.0 as the address

What happens from a client (do an nslookup or dig) it will tell you what server is replying to the client's DNS request. it should be the Netgate.

sample result from a client using dig. definitely blocked.

Non-authoritative answer:
Name:	www.facebook.com
Address: 0.0.0.0
** server can't find www.facebook.com: SERVFAIL

from a firefox browser on the same box.
Screen Shot 2023-11-17 at 8.41.56 AM.png

and finally on the NG Dashboard (DNSBL_Socials) is the custom list I added for testing. it contains the custom entry of "facebook.com"

Screen Shot 2023-11-17 at 8.02.22 AM.png

show us your config.

rajukarthik

@jrey Sorry for late reply, I was on long leave.
Actually im new to PFSense so could you please help me to find how to check if my clients are using Netgate as DNS

jrey

@rajukarthik
How do your clients get their IP address, are they DHCP assigned? Static?

The DNS server the client uses is generally assigned in that setup.

from above:

What happens from the NG if you do a DNS Lookup from the Diagnostics menu? if you have entered "facebook.com" on the custom DNSBL list. try both facebook.com and www.facebook.com
both should show 0.0.0.0 as the address

What happens from a client (do an nslookup or dig) it will tell you what server is replying to the client's DNS request. it should be the Netgate.

rajukarthik

@jrey Clients are dhcp assigned from cisco router.

Please find the screenshots below,

jrey

@rajukarthik

Okay so in the case of the netgate the response is coming from google. (8.8.8.8) that response won't go through the DNSBL

From the client (a windows box it appears) the response is coming from RT-AX3000-4B90 (192.168.50.1) what device is that? IF this is your Netgate share the settings you have for the DNS Resolver

You likely just need to reconfigure DNS so that your Netgate is in the line and able to resolve addresses, without the direct responses from other DNS servers - a SERVFAIL will allow the others DNS to provide the answer and therefore by pass the DNSBL if they are available

Diagnostics -> Command Prompt (enter the following command)

dig facebook.com

what do you get ?

NogBadTheBad

@jrey It could be the clients are doing DNS over HTTPS.

It might be better using pfBlocker, using Facebooks ASN numbers and creating an alias to use in a firewall rule outbound.

Screenshot 2023-11-22 at 14.50.43.png

Screenshot 2023-11-22 at 14.50.56.png

jrey

@NogBadTheBad

could be, but that wasn't the question, and
the plain DNS response shown thus far are all standard DNS responses

on a properly configured system even if a client asks for a specific external server for the answer - the result should be DNSBL

@LUBUNTU:~$ dig @8.8.8.8 facebook.com

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> @8.8.8.8 facebook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23049
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;facebook.com.                  IN      A

;; ANSWER SECTION:
facebook.com.           60      IN      A       0.0.0.0

;; Query time: 44 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Wed Nov 22 09:40:41 EST 2023
;; MSG SIZE  rcvd: 57

So even though dig on the client "thinks" server 8.8.8.8 responded, it did not.

DNSBL-python,Nov 22 09:29:30,facebook.com,127.0.0.1,HSTS_A,TLD_A,DNSBL_Socials,facebook.com,Socials_custom,+

NogBadTheBad

@jrey Not denying that

JonathanLee

Other options you can use..

You can use Snort with an open AppID custom text rule for Facebook and just set it to block.

Or my favorite Squidguard with Squid and add Facebook to the block list. But Squid is not really recommended because of it's level of complexity.

Gertjan

@rajukarthik said in Not able to block facebook website:

@jrey I tried it but still facebook is accessible. Could you please help

I can and will help.

I just tried what has been said in the other thread, notably by BBcan177, author of pfBlockerng.
As I have pfBlockerng installed, it tried blocking using "ASN".

I've created :

And saved.
And reloaded the config.

I knew "ASN" is just a list of IP networks, so I wasn't surprised to see this :

and it did't take long.
You had to be there to believe it : some one was already yelling in the buidling that 'Whatapp" stopped working.

Btw : my Whatapp phone app showed me this :

So, sorry @rajukarthik I disagree.
"It works for me ...".
Please tell us what you did.
Or check what I did - I've posted images, and happy to post more details.

edit : and now they come to me ..... I'll better undo this "ASN 32934" blocking fast, as I don't want to sleep in the dog house this evening.

jrey

Of course blocking the ASN directly will work, but what happens when the OP chooses to add other DNSBL rules or features ?

Doesn't appear to me from what has been provided that the DNS path is correct and therefore any client will simply bypass whatever other features of DNSBL may be selected (now or in the future) not just facebook.
Maybe that's important / maybe not.

NogBadTheBad

@jrey said in Not able to block facebook website:

Of course blocking the ASN directly will work, but what happens when the OP chooses to add other DNSBL rules or features ?

If the OP was trying to block another ASN he could add it to his original pfblocker rule or just create a new alias and new firewall rule.

If you look at my example I block multiple ASN numbers.

The advantage of using pfblocker is its blocking the destination rather than a lookup of the destination

jrey

@NogBadTheBad

You're missing the point, I think -- what if the OP (who said he was new to pfSense) decides he wants to block (say for example ADs) by selecting another DNSBL list.

Last I checked ADs basic alone listed some 158,000+ items, are you suggesting that ASN is the only way to go ??? I suspect that is not the case you are trying to make.

Having a properly working DNS from client to resolution is critical. But you can certainly block facebook with the ASN and then wait for the next question of "I selected (x y or z) and it doesn't work, can you help me?"

Blocking the ASN will certainly work to just block facebook. Just doesn't seem to me to be the underlying question.

just like blocking "facebook.com" isn't all that is required to block facebook. Blocking only their specific ASN doesn't block them entirely either. They like most, also have IP space that is not in directly in their ASN block.

Twitter is really good at this, (not that facebook isn't) they have multiple domains that are embedded everywhere that aren't in any of the twitter registered ASN blocks.

None of the solutions is 100%, but surely we must agree that 0% on the dns front is less than ideal. For laughs I just checked one of the known twitter twit spaces and the IP is actually in the ASN for Akamai International.

Each to his own.

JonathanLee

@jrey Use Squid Proxy and splice it as transparent mode, install Squid guard and create a rule to block facebooks urls. Any get request will be blocked from the start. No need for DNS resolving it simply blocks the URL http get request. I suspect your DNS is being accessed with DoT DoH DNS over TLS, and many other experimental protocols. A great way to block is in the http get requests works 100% of the time. Just make it simple with transparent mode.

jrey

@JonathanLee

I think you are directing your response to the wrong person. I don't have any issue with blocking or DoT, DoH or DNS over TLS or blocking any url if or as required.

The OP on the other hand stated is just learning pfSense. Do you think that Squid Proxy and splice are the way to direct the OP to start, given that basic DNS traffic flow seems to be a challenge, from what has been provided.

But then on the other hand do you ever stop for a minute and wonder why your 2100 is so bloated ? or I think as you put it "I was bogged down so much I had to go back to the last stable version.".

Just because you can, doesn't mean you should or even need to.

https://forum.netgate.com/topic/184125/23-0-5-1-23-09-issues-sg210max?_=1700684164315

Rest assured it is not the device or 23.09. It is likely the laundry list of packages you are running, as listed the thread referenced.

I run 30-60 (varies, typical day ~40 (the arp table currently has 45 entries)) client systems behind a 2100 and although yes there has been a slight increase in Memory usage with 23.09 it is rarely above a 15% baseline, where under 23.05.1 was running around 12%

Screen Shot 2023-11-22 at 3.09.58 PM.png

Do whatever works for you. Suggesting more bloat likely not a good choice for most people.

JonathanLee

@jrey

I was unaware this user is just starting out. This user is having issues blocking items. I simply provided a different package option. Just simply show casing the other options. Yes I am still running 23.05.1 it's the most stable version I have seen. 23.29 has response time issues for my 2100 alongside Snort's core dump errors. Keep in mind avg memory utilization for me is 20-30% without ClamAV per TAC support I was told it runs better without ClamAV. I agree if DNS blocking is a problem to configure Squid would be very overwhelming. Snort's AppID would be very simple with use of text rules also however Snort on 23.29 does not currently work because of core dumps. It's not just me that has 23.29 issues some packages like Snort do also. If you run the system in bare bones I am sure 23.29 is fine, again, I like to push the 2100's limits because it can do it and has been. It might be Snort's core dumps that caused my issues.

The 2100 is amazing the size of it and all it can do... Wait until the Broadcom BCM2712 quad-core Arm Cortex A76 processor is put into something....Bloat will be nill.

rajukarthik

@jrey
RT-AX3000-4B90 is my wifi router. I had accessed Pfsense gui via VPN yesterday.
Now i have connected my laptop to the pfsense lan directly and posting the screenshots for your reference.

dig output.png

Also I have disabled DNS resolver in my PFsense firewall.
Screenshots for your reference.
I also request you to kindly let me know how to add website entries in dnsbl to block it. I feel I had made mistake in DNSBL entries too.

Thanks and Regards,
Karthik