Problem: How to create alias and block Facebook traffic (IP Addresses and HTTP/HTTPS URL of Facebook) using pfSense firewall rules. Following steps are useful with sites such as Facebook that consume large amounts of IP range but are constrained within a few net blocks.
Solution
Step 1: Find Facebook autonomous system OriginAS or ASN number of Facebook IP registration at Facebook Peering Policy.
Peering Information as below:
ASN: AS32934
Suggested Prefix Limit: 100
PeeringDB: as32934.peeringdb.com
Step 2: Execute below command to find the most current list of Facebook IP subnets by query server to find subnets for their AS:
whois -h whois.radb.net '!gAS32934'
Result query on 27 September 2018:
MacBook-Pro:~ alexl$ whois -h whois.radb.net '!gAS32934'
A1561
204.15.20.0/22 69.63.176.0/20 66.220.144.0/20 66.220.144.0/21 69.63.184.0/21 69.63.176.0/21 74.119.76.0/22 69.171.255.0/24 173.252.64.0/18 69.171.224.0/19 69.171.224.0/20 103.4.96.0/22 69.63.176.0/24 173.252.64.0/19 173.252.70.0/24 31.13.64.0/18 31.13.24.0/21 66.220.152.0/21 66.220.159.0/24 69.171.239.0/24 69.171.240.0/20 31.13.64.0/19 31.13.64.0/24 31.13.65.0/24 31.13.67.0/24 31.13.68.0/24 31.13.69.0/24 31.13.70.0/24 31.13.71.0/24 31.13.72.0/24 31.13.73.0/24 31.13.74.0/24 31.13.75.0/24 31.13.76.0/24 31.13.77.0/24 31.13.96.0/19 31.13.66.0/24 173.252.96.0/19 69.63.178.0/24 31.13.78.0/24 31.13.79.0/24 31.13.80.0/24 31.13.82.0/24 31.13.83.0/24 31.13.84.0/24 31.13.85.0/24 31.13.86.0/24 31.13.87.0/24 31.13.88.0/24 31.13.89.0/24 31.13.90.0/24 31.13.91.0/24 31.13.92.0/24 31.13.93.0/24 31.13.94.0/24 31.13.95.0/24 69.171.253.0/24 69.63.186.0/24 31.13.81.0/24 179.60.192.0/22 179.60.192.0/24 179.60.193.0/24 179.60.194.0/24 179.60.195.0/24 185.60.216.0/22 45.64.40.0/22 185.60.216.0/24 185.60.217.0/24 185.60.218.0/24 185.60.219.0/24 129.134.0.0/16 157.240.0.0/16 157.240.8.0/24 157.240.0.0/24 157.240.1.0/24 157.240.2.0/24 157.240.3.0/24 157.240.4.0/24 157.240.5.0/24 157.240.6.0/24 157.240.7.0/24 157.240.9.0/24 157.240.10.0/24 157.240.16.0/24 157.240.19.0/24 157.240.11.0/24 157.240.12.0/24 157.240.13.0/24 157.240.14.0/24 157.240.15.0/24 157.240.17.0/24 157.240.18.0/24 157.240.20.0/24 157.240.21.0/24 157.240.22.0/24 157.240.23.0/24 129.134.0.0/17 157.240.0.0/17 204.15.20.0/22 69.63.176.0/20 69.63.176.0/21 69.63.184.0/21 66.220.144.0/20 69.63.176.0/20
C
Step 3: Access pfSense and create New Alias with any distinguished name FacebookBlock, with following settings:
Type: Network(s)
Network(s): All IPs that you get from above command
Step 4: Go to Firewall > Rules > LAN to create a new Rule with following settings:
Action = BLOCK
Interface = LAN
Tcp/ip Version = IPV4
Protocol = TCP/UDP
Step 5: Move it on top (where you like to block for all users) of all Rules.
Step 6: Select Block / Reject all.
Step 7: In the section Instead IP Address put FacebookBlock.
Step 8: Save the changes.
Other alternative:
Modify hosts files to prevent access to facebook domains.
0.0.0.0 facebook.com
0.0.0.0 facebook.net
0.0.0.0 api.facebook.com
0.0.0.0 api.facebook.net
0.0.0.0 connect.facebook.net
0.0.0.0 connect.facebook.com
Reference
Netgate Documentation: Blocking Access to Websites
G7 Schools: How to Block Facebook Using SQUID + SQUIDGUARD through Pfsense
ipaddresshost: How to block HTTP and HTTPS Facebook with pfSense
