FB Alias Block
-
I found a few threads on here regarding blocking FB. One of them looked to Squid. The other being to block the IP's used by FB. Figured I would try the IP's first before playing with Squid since this firewall there has about ~120 users on it. Anyways, here's screenshots of those rules I'm trying to make work.
-
One of the rules is blocking the destinaton alias called "b" which is a few local IP's I've thrown in to test with, including my own.
-
Anyone?
-
I have the same issues, The way i have done it is…
Firewall > NAT > Rules
Add
Action: Reject
Protocol: TCP/UDP
Source: Type: THE IP example 192.168.1.5/32 > this will allow 192.168.1.5 not to have Facebook!
Destination: Type: Network: 66.220.144.0 /21
SaveRepeat all the subnets that belongs to Facebook - Subnets
http://bgp.he.net/AS32934#_prefixesHit Apply Changes
:P
-
Tried that with a single host, still have access. That list of IP's that facebook uses doesn't have the one I get on a ping request. When I ping facebook.com I get:
173.252.100.16
-
Why not proxy and blacklist facebook?
-
Why not proxy and blacklist facebook?
because transparant proxy with squid will only work with http and NOT with https ….
so basically, lots of folks have favorits/bookmarks that are created after they signed in ... the bookmarks are on HTTPS | these bypass transparant proxy
-
Why not proxy and blacklist facebook?
because transparant proxy with squid will only work with http and NOT with https ….
so basically, lots of folks have favorits/bookmarks that are created after they signed in ... the bookmarks are on HTTPS | these bypass transparant proxy
My personal preference is to control web stuff with a proxy. There are ways to push out the proxy info to browsers through both DHCP and DNS. I would create a wpad file, take off transparent mode, block all but the proxy from getting out, by default almost all browsers are set to auto discover the proxy. It works for mobile users too because the pac script will only point them to your proxy if certain conditions are met if you so choose. One example is if they are on network x.x.x.x/x then proxy otherwise go direct.
This is all said not knowing anything about your environment…if you explicitly define the proxy you can use it for all protocols including HTTPS. In my personal opinion proxy is the best for blacklisting and managing web traffic. Again this is not knowing anything about your environment.
-
You put that in place, and then you can change the pac script if you implement that way. Its transparent to the user, and requires more work up front, but next month or next year when you need to block another domain it will be easier. IMO it is the right way to do it rather than creating rules based on their IP allocations which may expand and will change as we move further toward IPV6.
Some of the above might be outside the scope of the PFsense realm..again depending on your environment.
-
Tried that with a single host, still have access. That list of IP's that facebook uses doesn't have the one I get on a ping request. When I ping facebook.com I get:
173.252.100.16
thats in the subnet of 173.252.96.0/19
SEE: http://bgp.he.net/AS32934#_prefixesalso Twitter
http://bgp.he.net/AS13414#_prefixes
http://bgp.he.net/AS35995#_prefixesIf this dont work then look into pfBlocker http://forum.pfsense.org/index.php/topic,42543.0.html - Try and tested and it works!
Example:
-
Tried that with a single host, still have access. That list of IP's that facebook uses doesn't have the one I get on a ping request. When I ping facebook.com I get:
173.252.100.16
thats in the subnet of 173.252.96.0/19
SEE: http://bgp.he.net/AS32934#_prefixesalso Twitter
http://bgp.he.net/AS13414#_prefixes
http://bgp.he.net/AS35995#_prefixesIf this dont work then look into pfBlocker http://forum.pfsense.org/index.php/topic,42543.0.html - Try and tested and it works!
Example:
This is a good solution if you do not need the caching ability or want the overhead of a proxy. I like the pfblocker package.
-
Alright, still haven't had much luck. If this doesn't work I will look into the package posted previously.
action: reject
protocol: tcp/udp
Source: 192.168.1.20
destination: All IP and subnet listed on the following page:http://bgp.he.net/AS32934#_prefixes
Any idea? The virtual machine I'm testing on is using that firewall as the gateway, and still able to access it no problem.
-
Why not proxy and blacklist facebook?
blackllist only for http site Its not allow me to block https://www.facebook.com . this loop hole will be block coming days in pfsense