• hello evry body,

    i want to to help me; i want to block facebook in my firewall than, i don't know how to start, can you give me a PDF or the procedural of doing??

    please! my english is not good(I speak French)


  • You could do this many ways but here is how I do it. Use the HAVP package, follow the examples for the place that you would like to block. I would go by the way of ip address but you really never know when that might change so go with  this particular variation of /.facebook.com/  . The formatting may be wrong, just look at the examples after you have HAVP up and running. All you need to do is put what you want in the blacklist.

    HAVP setup:

    1.Transparent proxy (USE LAN)
    2.Just leave the proxy at default port
    3.Make sure both AV and AV proxy are green.
    4. Start blacklisting and just follow the examples.
    5. HAVP is very powerful so be careful about what you block. You can even make rules like these three /.xml  /.htm)  /.php you get the point so just stay with websites for now that you don't like.

    The other option which is incredibly difficult to set up for someone new is Dansguardian. It's not that bad but it depends on how much time you would like to devote to learning Pfsense.


  • Thank you, but can't you help me about HAVP????  or if by giving just some Focus cuz i'm a new commer in PFSENSE.
    i mean, Wich Option can i start???

    System
    Interfaces
    Firewall
    Services
    VPN
    Status
    Diagnostics

    by there i can understand how to go on


  • Use the system tab and click packages. Then press ctrl F and type what you want to look for and this would be HAVP. Click the + sign to install the package. There are so many good packages for Pfsense as you can see but the problem will always be how difficult it is to set up. I would really recommend that you get the new Pfsense 2.1 handbook. Also, from what most tell me, for now just always choose something that is a stable release. When you get more advanced and confident then go for the betas. Another package that would be fun to try is called Pfblocker and this program works very similar to peerguardian and you can find websites to  add your own blocklists or you can just use the defaults. I would just stay with the simple packages for now. Basically, when choosing packages, think about something that may suit your needs.

    Another more simple way to do things is just ping whatever site that you don't want to be accessed and get the IP.
    Then in pfsense just go to Firewall rules and make a rule like this:

    Interface LAN , Protocol ANY, Source Lan Subnet, Destination Single HOST or IP address and type in the IP address and at the bottom click save.

    Also you need to understand how firewall rules work. The rules always work in order meaning that if right now you have the Default antilockout rule and the Allow Lan to any rule(Please change that for your firewall.). The block rule that you create will have to go in between them. I would also suggest looking at this basic configuration to get you started because a firewall is no good without good rules so just follow exactly what it says. https://doc.pfsense.org/index.php/Example_basic_configuration


  • Another way is to do it at the DNS level.  Sign up for an OpenDNS account, block Facebook, and point your pfSense DNS to OpenDNS servers (and disallow WAN overwrite).  If you want to also take it to the next level, block all outbound traffic to TCP/UDP 53 and also allow all local DNS requests to pfSense.

    – or --

    I searched around the Web for Facebook's IP range and found a decent list.  For me, I wanted to "Allow" Facebook for myself, but you can use the same Alias and simply deny access to those IPs.  Here's my list right now:

    31.13.24.0/21
    31.13.64.0/24
    31.13.65.0/24
    31.13.66.0/24
    31.13.67.0/24
    31.13.68.0/24
    31.13.69.0/24
    31.13.70.0/24
    31.13.71.0/24
    31.13.72.0/24
    31.13.73.0/24
    31.13.74.0/24
    31.13.75.0/24
    31.13.76.0/24
    31.13.77.0/24
    31.13.78.0/24
    31.13.79.0/24
    31.13.80.0/24
    31.13.82.0/24
    31.13.83.0/24
    31.13.84.0/24
    31.13.85.0/24
    31.13.87.0/24
    31.13.88.0/24
    31.13.89.0/24
    31.13.90.0/24
    31.13.91.0/24
    31.13.92.0/24
    31.13.93.0/24
    31.13.94.0/24
    31.13.95.0/24
    31.13.96.0/32
    66.220.144.0/24
    66.220.152.0/24
    66.220.159.0/24
    69.171.224.0/24
    69.171.239.0/24
    69.171.240.0/24
    69.171.253.0/24
    69.171.255.0/24
    69.63.176.0/24
    69.63.178.0/24
    69.63.184.0/24
    69.63.186.0/24
    74.119.76.0/24
    103.4.96.0/24
    173.252.64.0/24
    173.252.70.0/24
    173.252.96.0/24
    204.15.20.0/24

    You can copy and paste that into a new "Facebook" alias (Click the button "Bulk import aliases from list") then make a rule on LAN interface and block all traffic to Facebook alias.

    You can also try -- as others have suggested -- using various proxy type blocks and content filtering.


  • We get the current FaceBook list of subnets by running this on a Unix/Linux box in a cron job each day:

    whois -h whois.radb.net -- '-i origin AS32934' | grep ^route | grep -v route6 | cut -d" " -f7 > /var/www/block_lists/facebook.txt
    

    Then on pfSense(s) make a URL table alias that points to that the facebook.txt file, then use the alias in rules as needed.

    The magic numbers for the "whois" are documented towards the bottom of this FaceBook developer page: https://developers.facebook.com/docs/ApplicationSecurity/





  • Why don't you use DNS forwarder and add DNS A record *.facebook.com to 127.0.0.1 for example?
    To avoid using foreign DNS servers by the clients add a NAT rule to catch everything on TCP/UDP 53 and DNAT it to the pfsense box.
    Much simpler and cleaner than using proxy I think :)


  • phil.davis is right, that's the proper solution.

    @Finger79: IP lists may change

    @nothing: it depends on how much your users are motivated. the can run their own local dns server for 'facebook.com' or just a put it in /etc/hosts or similar - i.e. no dns queries to your pfsense box.


  • Is there a way to run this cron WHOIS job on the pfSense box itself (such as the "cron" package)?  Otherwise I'm stuck with a static alias with CIDR nets.


  • @Finger79:

    Is there a way to run this cron WHOIS job on the pfSense box itself (such as the "cron" package)?  Otherwise I'm stuck with a static alias with CIDR nets.

    Yeah, the cron package adds a crontab editor to pfSense. AFAIK you'll also need some whois package from the freeBSD repository, at least on my nanoBSD 2.1 system there was no whois by default.

    @nothing:

    Why don't you use DNS forwarder and add DNS A record *.facebook.com to 127.0.0.1 for example?
    To avoid using foreign DNS servers by the clients add a NAT rule to catch everything on TCP/UDP 53 and DNAT it to the pfsense box.
    Much simpler and cleaner than using proxy I think :)

    Clients may still have a useable DNS cache (eg in a public network). In my open wlan I use both options together.


  • @phil: do url tables get updated on a regular basis? I mean.. assuming you run a cronjob to update the list, how would the table itself be updated? Currently I use the pfBlocker package to create the alias from the file, as you can select to update the alias on a regular basis.

    (BTW, might be of value to someone: it is possible to specify a file:// url in the url table setup to create the list from a local txt file)


  • Looks like it is checked/updated at 12:30 each day - see screenshot. You could modify the frequency of that Cron job to whatever you want.



  • Hmm THX! There even is an update frequency selector field in the url-table setup. It must have been hidden before! :P


  • @phil.davis:

    We get the current FaceBook list of subnets by running this on a Unix/Linux box in a cron job each day:

    whois -h whois.radb.net -- '-i origin AS32934' | grep ^route | grep -v route6 | cut -d" " -f7 > /var/www/block_lists/facebook.txt
    

    Then on pfSense(s) make a URL table alias that points to that the facebook.txt file, then use the alias in rules as needed.

    The magic numbers for the "whois" are documented towards the bottom of this FaceBook developer page: https://developers.facebook.com/docs/ApplicationSecurity/

    The above steps are brilliant!  With those IPs blocked at the firewall and keeping the blocks updated there is no way the clients can reach them regardless of what they do on their PCs.


  • phil.davis i just wanted to thank you amazing. On a side note im able to block it but is it possible to enable a whitelist? to allow myself?

    Thank you

    EDIT:

    To allow certain users create an alias called allow then tick on host and enter the ip of the users that will have access.

    then go to firewall–Rules--LAN and edit the facebook rule to the screen shot.

    Hope this helps





  • @killmasta
    If you can make a block rule, you can make an allow rule.  Just put your allow rule above the block rule on whatever interface your wanting to block facebook on.