Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FB Alias Block

    Scheduled Pinned Locked Moved Firewalling
    13 Posts 5 Posters 6.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rustydusty1717
      last edited by

      I found a few threads on here regarding blocking FB. One of them looked to Squid. The other being to block the IP's used by FB. Figured I would try the IP's first before playing with Squid since this firewall there has about ~120 users on it. Anyways, here's screenshots of those rules I'm trying to make work.

      fb1.JPG
      fb1.JPG_thumb
      fb2.JPG
      fb2.JPG_thumb
      fb3.JPG
      fb3.JPG_thumb

      1 Reply Last reply Reply Quote 0
      • R
        rustydusty1717
        last edited by

        One of the rules is blocking the destinaton alias called "b" which is a few local IP's I've thrown in to test with, including my own.

        fb5.JPG
        fb5.JPG_thumb

        1 Reply Last reply Reply Quote 0
        • R
          rustydusty1717
          last edited by

          Anyone?

          1 Reply Last reply Reply Quote 0
          • F
            francisuk22
            last edited by

            I have the same issues, The way i have done it is…

            Firewall > NAT > Rules

            Add

            Action: Reject
            Protocol: TCP/UDP
            Source: Type: THE IP example 192.168.1.5/32 > this will allow 192.168.1.5 not to have Facebook!
            Destination: Type: Network: 66.220.144.0  /21
            Save

            Repeat all the subnets that belongs to Facebook - Subnets
            http://bgp.he.net/AS32934#_prefixes

            Hit Apply Changes

            :P

            2.0.2-RELEASE (amd64) - Dell OptiPlex GX520 SFF @ Intel P4 HT 3.0GHz
            Cisco SR224 24-port Switch (4 PCs, 1 Wireless AP, 2 Consoles)

            1 Reply Last reply Reply Quote 0
            • R
              rustydusty1717
              last edited by

              Tried that with a single host, still have access. That list of IP's that facebook uses doesn't have the one I get on a ping request. When I ping facebook.com I get:

              173.252.100.16

              1 Reply Last reply Reply Quote 0
              • N
                nobluescreen
                last edited by

                Why not proxy and blacklist facebook?

                1 Reply Last reply Reply Quote 0
                • H
                  heper
                  last edited by

                  @nobluescreen:

                  Why not proxy and blacklist facebook?

                  because transparant proxy with squid will only work with http and NOT with https ….

                  so basically, lots of folks have favorits/bookmarks that are created after they signed in ... the bookmarks are on HTTPS  | these bypass transparant proxy

                  1 Reply Last reply Reply Quote 0
                  • N
                    nobluescreen
                    last edited by

                    @heper:

                    @nobluescreen:

                    Why not proxy and blacklist facebook?

                    because transparant proxy with squid will only work with http and NOT with https ….

                    so basically, lots of folks have favorits/bookmarks that are created after they signed in ... the bookmarks are on HTTPS  | these bypass transparant proxy

                    My personal preference is to control web stuff with a proxy.  There are ways to push out the proxy info to browsers through both DHCP and DNS.  I would create a wpad file, take off transparent mode, block all but the proxy from getting out, by default almost all browsers are set to auto discover the proxy.  It works for mobile users too because the pac script will only point them to your proxy if certain conditions are met if you so choose.  One example is if they are on network x.x.x.x/x then proxy otherwise go direct.

                    This is all said not knowing anything about your environment…if you explicitly define the proxy you can use it for all protocols including HTTPS.  In my personal opinion proxy is the best for blacklisting and managing web traffic.  Again this is not knowing anything about your environment.

                    1 Reply Last reply Reply Quote 0
                    • N
                      nobluescreen
                      last edited by

                      You put that in place, and then you can change the pac script if you implement that way.  Its transparent to the user, and requires more work up front, but next month or next year when you need to block another domain it will be easier.  IMO it is the right way to do it rather than creating rules based on their IP allocations which may expand and will change as we move further toward IPV6.

                      Some of the above might be outside the scope of the PFsense realm..again depending on your environment.

                      1 Reply Last reply Reply Quote 0
                      • F
                        francisuk22
                        last edited by

                        @rustydusty1717:

                        Tried that with a single host, still have access. That list of IP's that facebook uses doesn't have the one I get on a ping request. When I ping facebook.com I get:

                        173.252.100.16

                        thats in the subnet of 173.252.96.0/19
                        SEE: http://bgp.he.net/AS32934#_prefixes

                        also Twitter
                        http://bgp.he.net/AS13414#_prefixes
                        http://bgp.he.net/AS35995#_prefixes

                        If this dont work then look into pfBlocker http://forum.pfsense.org/index.php/topic,42543.0.html - Try and tested and it works!

                        Example:

                        2.0.2-RELEASE (amd64) - Dell OptiPlex GX520 SFF @ Intel P4 HT 3.0GHz
                        Cisco SR224 24-port Switch (4 PCs, 1 Wireless AP, 2 Consoles)

                        1 Reply Last reply Reply Quote 0
                        • N
                          nobluescreen
                          last edited by

                          @francisuk22:

                          @rustydusty1717:

                          Tried that with a single host, still have access. That list of IP's that facebook uses doesn't have the one I get on a ping request. When I ping facebook.com I get:

                          173.252.100.16

                          thats in the subnet of 173.252.96.0/19
                          SEE: http://bgp.he.net/AS32934#_prefixes

                          also Twitter
                          http://bgp.he.net/AS13414#_prefixes
                          http://bgp.he.net/AS35995#_prefixes

                          If this dont work then look into pfBlocker http://forum.pfsense.org/index.php/topic,42543.0.html - Try and tested and it works!

                          Example:

                          This is a good solution if you do not need the caching ability or want the overhead of a proxy.  I like the pfblocker package.

                          1 Reply Last reply Reply Quote 0
                          • R
                            rustydusty1717
                            last edited by

                            Alright, still haven't had much luck. If this doesn't work I will look into the package posted previously.

                            action: reject
                            protocol: tcp/udp
                            Source: 192.168.1.20
                            destination: All IP and subnet listed on the following page:

                            http://bgp.he.net/AS32934#_prefixes

                            Any idea? The virtual machine I'm testing on is using that firewall as the gateway, and still able to access it no problem.

                            1 Reply Last reply Reply Quote 0
                            • R
                              rakeshvijayan
                              last edited by

                              @nobluescreen:

                              Why not proxy and blacklist facebook?

                              blackllist only for http site Its not allow me to block https://www.facebook.com . this loop hole will be block coming days in pfsense

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.