How to block facebook access

Frank Shute frank at
Tue Aug 22 22:58:17 UTC 2017

On Sat, Aug 19, 2017 at 02:20:48PM -0400, Ernie Luzar wrote:
> Hello list;
> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users 
> are using their work PC's to access facebook during work.
> What method would recommend to block all facebook access?
Hi Ernie,

My recommendation would be to set up unbound(8) on your 11.1 machine (or
setup another) and configure everything on the LAN to use it for name

You can then shove some local records in unbound.conf(5), such as:

local-zone: "" refuse
local-zone: "" refuse

If you then do a lookup from the LAN:

$ host
Host not found: 5(REFUSED)

Firefox and Chrome seem to handle that gracefully.

To stop any muppets who decide to use alternative name service ie. Google,
OpenDNS etc. Configure ipfilter to drop any outgoing to 53 except from
your unbound machine.

Of course, other benefits are: 

1). You can cutdown on all sorts of additional superfluous traffic which
improves all sorts of things: contention, less bandwidth & quota needed

2). Lookups are a lot quicker if they're cached on the LAN; which your
users will appreciate.

This all somewhat depends on how computer savvy your users are and how
locked down their PCs are.

If they know what they're doing then they will find away around it and
nothing short of nuking all of Facebook's DCs will stop it. Now there's
an idea....




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the freebsd-questions mailing list