How to block facebook access

Sun Aug 20 17:11:34 UTC 2017

On 20 August 2017 at 14:30, Ernie Luzar <luzar722 at gmail.com> wrote:

> Polytropon wrote:
>
>> On Sat, 19 Aug 2017 16:41:20 -0400, Ernie Luzar wrote:
>>
>>> On 8/19/2017 2:20 PM, Ernie Luzar wrote:
>>>>
>>>>> Hello list;
>>>>>
>>>>> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users
>>>>> are using their work PC's to access facebook during work.
>>>>>
>>>>> What method would recommend to block all facebook access?
>>>>>
>>>>>  > Littlefield, Tyler wrote:
>>>  > make your proxy just blacklist facebook.com and m.facebook.com?
>>>  > Blocking it will just let them view it on their phones though, so
>>>  > you're looking at a different issue altogether.
>>>
>>> Already blocking 15 facebook login ip address which can be added to or
>>> changes by FB anytime.
>>>
>>
>> Yes, that is one of the core problems: You do not have control
>> over Facebook's network configuration. :-)
>>
>> On the IP level, you can maintain a list of IPs to block. And
>> you could use resolver modification to do this for you, for
>> example when the IP for a certain Facebook service or page
>> changes, using the resolver its new IP will be added to the
>> block list. With this approach, you can block using both
>> numeric IPs and domain name strings (which of course resolve
>> to IPs, too).
>>
>> Maybe it would be a lot easier if you could just switch to
>> whitelisting - define the IPs _allowed_ for the users. This
>> will surely introduce new problems like "I cannot access a
>> web site which I need for work, please verify and whitelist",
>> which is something you cannot fully automate.
>>
>>
> I am unfamiliar with the "resolver modification" you speak of.
> Is this a function in ipfilter firewall?
> Where and how is this done?
>
>
I use dnsmasq+Bind+PF for this.

dnsmasq is set such that it listens on port 5353. It can be configured to
read /etc/hosts first before querying bind. What it doesn't find in
/etc/host, it asks BIND.
My pf.conf redirects all DNS queries to dnsmasq running on port 5353.
However, there are a few people I do not want to block. I assign their
machines a range of static IPs (based on their MAC addresses) and I allow
these IPs to access DNS directly via BIND:

# Bypass DNS restrictions for some users. Allow DNS requests to the local
BIND engine
rdr pass on $int_if inet  proto udp from { 192.168.54.23/32,
192.168.54.24/32, 192.168.54.104/32, 192.168.54.6/32 } to port 53 \
        -> 192.168.55.254 port 53
# Redirect all other DNS requests to the dnsmasq instance
rdr pass on $int_if inet  proto udp from any to port 53 \
        -> 192.168.55.254 port 5353

You can find the code for blocking Facebook hosts here ->
http://geekussion.com/windows/block-facebook-hosts-file-windows-pc-99/
Just add those entries to /etc/hosts after you have configured dnsmasq.

HTH

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."