How to block facebook access

Odhiambo Washington odhiambo at
Sun Aug 20 17:11:34 UTC 2017

On 20 August 2017 at 14:30, Ernie Luzar <luzar722 at> wrote:

> Polytropon wrote:
>> On Sat, 19 Aug 2017 16:41:20 -0400, Ernie Luzar wrote:
>>> On 8/19/2017 2:20 PM, Ernie Luzar wrote:
>>>>> Hello list;
>>>>> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users
>>>>> are using their work PC's to access facebook during work.
>>>>> What method would recommend to block all facebook access?
>>>>>  > Littlefield, Tyler wrote:
>>>  > make your proxy just blacklist and
>>>  > Blocking it will just let them view it on their phones though, so
>>>  > you're looking at a different issue altogether.
>>> Already blocking 15 facebook login ip address which can be added to or
>>> changes by FB anytime.
>> Yes, that is one of the core problems: You do not have control
>> over Facebook's network configuration. :-)
>> On the IP level, you can maintain a list of IPs to block. And
>> you could use resolver modification to do this for you, for
>> example when the IP for a certain Facebook service or page
>> changes, using the resolver its new IP will be added to the
>> block list. With this approach, you can block using both
>> numeric IPs and domain name strings (which of course resolve
>> to IPs, too).
>> Maybe it would be a lot easier if you could just switch to
>> whitelisting - define the IPs _allowed_ for the users. This
>> will surely introduce new problems like "I cannot access a
>> web site which I need for work, please verify and whitelist",
>> which is something you cannot fully automate.
> I am unfamiliar with the "resolver modification" you speak of.
> Is this a function in ipfilter firewall?
> Where and how is this done?
I use dnsmasq+Bind+PF for this.

dnsmasq is set such that it listens on port 5353. It can be configured to
read /etc/hosts first before querying bind. What it doesn't find in
/etc/host, it asks BIND.
My pf.conf redirects all DNS queries to dnsmasq running on port 5353.
However, there are a few people I do not want to block. I assign their
machines a range of static IPs (based on their MAC addresses) and I allow
these IPs to access DNS directly via BIND:

# Bypass DNS restrictions for some users. Allow DNS requests to the local
BIND engine
rdr pass on $int_if inet  proto udp from {,,, } to port 53 \
        -> port 53
# Redirect all other DNS requests to the dnsmasq instance
rdr pass on $int_if inet  proto udp from any to port 53 \
        -> port 5353

You can find the code for blocking Facebook hosts here ->
Just add those entries to /etc/hosts after you have configured dnsmasq.


Best regards,
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."

More information about the freebsd-questions mailing list