How to block facebook access

Polytropon freebsd at
Sun Aug 20 11:44:21 UTC 2017

On Sun, 20 Aug 2017 07:30:40 -0400, Ernie Luzar wrote:
> Polytropon wrote:
> > On Sat, 19 Aug 2017 16:41:20 -0400, Ernie Luzar wrote:
> >>> On 8/19/2017 2:20 PM, Ernie Luzar wrote:
> >>>> Hello list;
> >>>>
> >>>> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users 
> >>>> are using their work PC's to access facebook during work.
> >>>>
> >>>> What method would recommend to block all facebook access?
> >>>>
> >>  > Littlefield, Tyler wrote:
> >>  > make your proxy just blacklist and
> >>  > Blocking it will just let them view it on their phones though, so
> >>  > you're looking at a different issue altogether.
> >>
> >> Already blocking 15 facebook login ip address which can be added to or 
> >> changes by FB anytime.
> > 
> > Yes, that is one of the core problems: You do not have control
> > over Facebook's network configuration. :-)
> > 
> > On the IP level, you can maintain a list of IPs to block. And
> > you could use resolver modification to do this for you, for
> > example when the IP for a certain Facebook service or page
> > changes, using the resolver its new IP will be added to the
> > block list. With this approach, you can block using both
> > numeric IPs and domain name strings (which of course resolve
> > to IPs, too).
> > 
> > Maybe it would be a lot easier if you could just switch to
> > whitelisting - define the IPs _allowed_ for the users. This
> > will surely introduce new problems like "I cannot access a
> > web site which I need for work, please verify and whitelist",
> > which is something you cannot fully automate.
> > 
> I am unfamiliar with the "resolver modification" you speak of.
> Is this a function in ipfilter firewall?
> Where and how is this done?

It's a term I probably invented because I don't know the correct
name - if it even has a specific name. :-)

The idea is that IPs assigned to hosts may change, something you
mentioned as a fully valid problem. Example: If you want to block with the IP 123.456.789.100, you add that
to your list - done. Now changes it to 123.456.789.101,
and in case you didn't block a full IP range (123.456.789.*), can be reached again. So if you have a list
of host names that you want to prohibit access to, put them into
a list and let your resolver check them from time to time, for
example using tools like dig, drill, or host, with a little
postprocessing. If a new IP appears, just add it to the block
list. In this example, 123.456.789.101 would be added, and cannot be reached anymore. This approach is
also helpful if acquires a totally new IP range,
for example now becomes 123.987.258.654... ;-)

Maybe the following resources will provide a good entry point:

Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

More information about the freebsd-questions mailing list