Softpanorama

Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)

Blocking Facebook

News Social Sites as intelligence collection tools Recommended Links Squid logs  Perl web log analysers Squid-Log-Analyzers Web sites filtering with Squid
National Security State Calamaris Squid2MySQL Pwebstats Sysadmin Horror Stories  Humor Etc

Introduction

There are multiple reasons to block Facebook. First of all Facebook as well as other social networks can be a source of many problems. For individual users this is concern about privace. this concern actually exists for all categories of users.

For employers, Facebook this is concern about employee productivity, as Facebook proved to be pretty powerful destruction. No less powerful then porno sites.  For parents, it is concern about child safety. For schools and universities, Facebook is a real headache due to abuse of it by students. 

There are several ways of blocking Facebook:

Install SQUID and block facebook.com using ACLs

SQUID cashing server probably has something similar. For example (LinkedIn)

Boris G.You must not use transparent proxy.
You need to enforce users browsers to use proxy for http, https and if you like ftp also.


Here is the minimal config needed in squid.conf file:

1. Create an ACL for blocked sites

## ACL blocked-sites
acl blocked-sites dstdomain "/etc/squid/blocked-sites.squid"

2. Apply the ACL to everyone but allowed-ip

## Deny access to blocksites ACL
http_access deny blocked-sites !allowed-ip

3. Put your blocked sites in /etc/squid/blocked-sites.squid:

# Blocked sites. One per line.
.facebook.com
.twitter.com
.twoo.com
.badoo.com
.netlog.com

Boris G.At the link below you can download my squid.conf file if of any help (It is too large to post in here).
The ssl blockig worked out of the box for me with no additional config.
Options/comments started with "## BG ##" were added by me.

http://www.xen.si/downloads/squid.conf

Use of OpenDNS

OpenDNS, or any private DNS server allow blocking resolution of facebook.com domain.  A poor man method of doing the same on the desktop level is putting entries like shown below in your desktop C:\WINDOWS\system32\drivers\etc\hosts file:

# Blocking Facebook
 127.0.0.1 login.facebook.com
 127.0.0.1 www.facebook.com
 127.0.0.1 apps.facebook.com
 127.0.0.1 blog.facebook.com

Using Linux iptables firewall

f you have Linux firewall controlling the users computers, you can create filewall rules for iptables. For example:

iptables -t filter -I FORWARD -s 192.168.0.0/24 -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 443 -j DROP
iptables -t filter -I FORWARD -s 192.168.0.0/24 -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 443 -j DROP
iptables -t filter -I FORWARD -s 192.168.0.0/24 -p tcp -m iprange --dst-range 69.171.220.0-69.171.234.255 --dport 443 -j DROP
iptables -t filter -I FORWARD -s 192.168.0.0/24 -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 443 -j DROP
  1. You can resolve DNS name facebook.com and similar in you host file. For ecmple (for Linux): vi /etc/hosts add 127.0.0.1 facebook.com

Using employee control software or parental control software

Windows content advisor or Parental Controls  allow you to block Facebook more effectively and have many other useful features. See, for example, How to block Facebook - 3 methods for Windows 7 and 8

On the desktop level the simples method is putting entirs like shown below C:\WINDOWS\system32\drivers\etc\hosts file (just below localhost)

# Blocking Facebook
 127.0.0.1 login.facebook.com
 127.0.0.1 www.facebook.com
 127.0.0.1 apps.facebook.com
 127.0.0.1 blog.facebook.com

Top updates

Bulletin Latest Past week Past month
Google Search


NEWS CONTENTS

Old News ;-)

[Aug 14, 2013] Blocking Facebook While Browsing

December 24th, 2011 | The Big Picture
Last week, I asked how I could stop Facebook from tracking my web activities even when I was off of Facebook. Lots of you gave me great suggestions - but the two that I have implemented are below.

You may want to give them a shot:

Disconnect – Firefox Add On

petten

December 24, 2011 at 4:47 pm

Ditch Firefox, pick up Chrome (just surpassed FF in # of users). The first best decision for 2012.

jbruso

December 24, 2011 at 5:53 pm

Doesn't appear the FB Blocker is compatible with FireFox 8.0.

JasRas

I did so after watching the 14minute video in the Blog area at Disconnect.me… I never realized how much information they were gathering.

donna

I use disconnect and it's really sped up my browser. Quite pleased with it.

Bob A

facebook … the herpes of the internet

hue

facebook blocker also blocks comments from appearing, at least at LATimes.

FSMas lights http://bit.ly/s3bpDC

Forbes

Thanks for this I would suggest that people should also beware of google. If you are not signed in or if you do not have a google account you are tracked but your identifiable history only exists for two years before it is "anonymized" (ya right).

If you have google toolbar or chrome or are signed into your google account whilst browsing – it's tracked and it's stored in perpetuity. When you sign up for a google account something called web history is an opt out feature. Google web history records every site you visit and then stores that info. Because you agreed to Google's terms when you signed up even if you delete and disable web history you're sol as they've got the data.

If you have a google account and did not opt out of web history take a look and have a walk down memory lane.

I think it was Eric Schmidt who suggested that people need to get over the privacy thing.

http://www.networkworld.com/community/node/48975

jonpublic

I use a facebook only browser in addition to the various add ons.

SysAdmin

@Forbes

try this for a pesky google problem:

https://startpage.com/

https://startpage.com/eng/protect-privacy.html

Disconnect is a very thorough blocker of redirects; you may be unpleasantly surprised when your search results are blocked for yahoo or google.

Flavio

thanks for the info…I use firefox and it worked for me…

Leaving Facebookistan

A nice essay on the reasons for leaving FB after the complete corporate takeover (aka IPO):

Zuckerberg's business model requires the trust and loyalty of his users so that he can make money from their participation, yet he must simultaneously stretch that trust by driving the site to maximize profits, including by selling users' personal information. The I.P.O. last week will exacerbate this tension: Facebook's huge valuation now puts pressure on the company's strategists to increase its revenue-per-user. That means more ads, more data mining, and more creative thinking about new ways to commercialize the personal, cultural, political, and even revolutionary activity of users.

There is something vaguely dystopian about oppressed peoples in Syria or Iran seeking dignity and liberation inside a corporate sovereign that is, for its part, creating great wealth for its founders and asserting control over its users.

[…]

for now, at least, Facebook concedes to its users only when it judges that it is in the corporation's interest to do so; what user votes and consultations there may be are purely advisory. As MacKinnon observes, this system suggests the political control strategies of the Chinese Communist Party: periodic campaigns of state-managed openness and managed local democracy.

Every three months "investors" now will want to hear about new plans to monetize users and their friends. This is just the beginning.

[Aug 06, 2013] Howto block facebook.com using linux tools

September 7, 2011 elvir kuric] blog

Recently I was challenged to block access to Facebook from private network ( let's say 10.10.10.0/24). Here are steps I did, so far I cannot see it again in my logs

For this task I decided to use native Linux tools,squid and iptables.While squid is really good in blocking web sites ( accessed over http ) it still have issues when it comes to filtering of https

First I set below rule in my squid.conf

acl facebook dstdomain .facebook.com
http_access deny facebook

and it was enough for successfully blocking of http://facebook.com and its subdomains.

Another issue is, if some of my wise users perform

$ ping facebook.com
PING facebook.com (69.63.189.11) 56(84) bytes of data.

he/she will get ip address and overcome my above rule.So http://69.63.189.11 lead to Facebook again.

I added below rule

acl b1 url_regex [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
http_access deny b1

to block all combination of ip addresses to be accessed from web browser.As this can be problematic in same cases ( before I moved to use https://encrypted.google.com I was using google in form http://ip-of-google-from-pinging-it.Google's geolocator is simple annoying )

So we have till now blocked http://facebook.com, and also if someone access it directly over ip address.

What is remained? Https

Squid proxy cannot help us to block https ( afaik,if someone know how,suggestion is more than welcome ),so I pinged facebook.com,got its ip address and write iptables rule

${IPTABLES} -t nat -A PREROUTING -i $INT_IF -p tcp -s ${PRIVATE} -d 69.63.0.0/16 –dport 443 -j DROP

Hmm…not elegant. I agree.

You noticed that I put in destination network whole subnet, assuming Facebook own them all.This can lead to issue if your business partners own some of these ip addresses and you need to access to port 443.I know for sure that I do not have business partners at these ip locations.

Here is question, what if Facebook own ip addresses from some other subset?They probably own,but monitoring of your squid / messages logs,you can find out what are these ip addresses and add for them rule as above

Above process is "facebook specific", but you can change it easy and apply it on twitter.com,myspace.com,youtube.com … usw.

how to block facebook

Bern

Re: how to block facebook?
" Reply #8 on: May 14, 2009, 01:39:30 am "

--------------------------------------------------------------------------------
How about using OpenDNS?

So far it's worked perfectly for me in about 10 clients' offices.

We had to make squid use OpenDNS's DNS servers and kept everything else on the respective ISP's DNS servers because OpenDNS was occasionally blocking access to hotmail's MX records etc, which caused problems with outbound mail.

john doe

FACEBOOK_ALLOW="192.168.1.12 192.168.1.14 192.168.1.111" 
iptables -N FACEBOOK

iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 443 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 66.220.144.0-66.220.159.255 --dport 80 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 69.63.176.0-69.63.191.255 --dport 80 -j FACEBOOK
iptables -I FORWARD -m tcp -p tcp -m iprange --dst-range 204.15.20.0-204.15.23.255 --dport 80 -j FACEBOOK

## FACEBOOK ALLOW
for face in $FACEBOOK_ALLOW; do
iptables -A FACEBOOK -s $face -j ACCEPT
done
iptables -A FACEBOOK -j REJECT 

[Solved] Squid Blocking Facebook.com Domain for particular time ACL

kuttyjack

Squid Blocking Facebook.com Domain for particular time ACL
Hi,

I want to block some of the IP in my lan to block the facebook on particular time using squid.

Lets say, from IP 192.168.0.1 to access the internet other than facebook.com on 9 AM to 6 PM. after that it should unblock it.

Thank you all.

nixcraft:

29th September 2010

Use the following acl in squid.conf to only allow facebook after 17:30 (24 hrs time format):

Code:

# Mon to Fry time
acl blockfacebooktime time MTWHF 17:30-8:30
# Domain name
acl blockfacebookdotcom dstdomain .facebook.com
# Only allow facebook after 17:30
http_access allow blockfacebookdotcom blockfacebooktime
# Else block facebook
http_access deny blockfacebookdotcom
kuttyjack
Hi,

Thanks for your reply.

I want to block the facebook for some of the IP's.

I did the following.

Code:

acl office_time time MTWHF 10:00-18:00 
      acl bad url_regex "/etc/squid/block.acl"
      acl lan_ip src "/etc/squid/lan_ip.acl"
      http_access deny lan_ip bad office_time
and its working fine.

Thank you again.


I was able to block the domains for particular time using .dstdomain for facebook and gmail. but when trying to access the facebook.com using https , i can able to access it. I am using squid 2.6 stable21 with transparent mode.

Also, if its possible to block the port 443 for particular IP for office time its would be great. I have tried below
acl block_port port 443
http_access deny block_port
http_access allow all

but its not working for me. Please help me to fix this issue.

Thank you all.

Madhat Alsoos

Squid Proxy

I thought that my problem is solved and that is right, because now my employees can't open Facebook but that was wrong!. My problem is just began, unfortunately our ISP proxy blocks many websites not only Facebook. So how can we open these websites now?

The only way to do that is to allow people to connect though a proxy other that ISP one. But I must block Facebook at that proxy too!

So I decided to make my own proxy and install it at the domain controller on my office! I chose squid proxy because I am familiar with it and it can work under Windows or Linux.

First step is installing Squid on the domain controller at some port (default port is 3128, but I used 55555) and change ADSL Router configuration to exclude the domain controller from its rules, so it can connect to any ip on any port. To make squid listen to port 55555 you must add this configurations to squid.conf (you can find it under c:\squid\etc):

http_port 55555

Redirect Squid Proxy

Now we have a proxy installed on the domain controller at my office and employees can connect though it. But it is useless now! When someone connect though this proxy, squid will do nothing with the request so it will go through ISP Proxy and that is not what we want.

The solution is redirect squid proxy to any other free proxy on any port other than 80 (a proxy that my employees were used). To do that you must add this configurations to squid.conf:

cache_peer proxy parent port 0 no-query
acl all src 0.0.0.0/0.0.0.0
http_access allow all
never_direct allow all

Just replace "proxy" and "port" with any proxy at any port (other than 80) you want to redirect squid proxy to. To make sure it works open http://www.whatismyproxy.com/ you must see 2 proxies, first one is squid and other is the proxy you redirect it to.

Block Facebook on Squid

All we need now is block facebook.com on squid proxy. To do this we can define such rules in squid.conf:

acl denyThis dstdomain "c:/squid/acl.txt"
http_access deny denyThis
http_access allow all
acl our_networks src 192.168.1.0/24
http_access allow our_networks

By this lines we allow all requests from any ip that belong to network 192.168.1.0 with mask 255.255.255.0 except requests that have a destination domain contains is file c:/squid/acl.txt.

Now create file "c:/squid/acl.txt" and put this line in it:

.facebook.com

You are done! evey time you will try to open www.facebook.com (or any subdomain from it) on squid proxy you will get forbidden message from squid.

FTP and Squid

Again I thought that everything is ok, but I discovered that my employees couldn't use FTP any more! I tried this my self using FileZilla; When I use no proxy option, FileZilla could login but couldn't retrieve directory list (That is because FTP protocol use random port larger than 1024 to transfer data, and all these ports is closed by my ADSL Router). And when I used squid proxy as HTTP proxy for FileZilla I got forbidden reply from squid and FileZilla couldn't login at all!

To solve this I googled the internet for about 3 hours and found that squid is not a ftp proxy so I can't use it to filter ftp connections. But I can use it as a HTTP proxy for FileZilla. To do so I must allow CONNECT method on squid. All you need is add these 2 lines to your squid.conf:

http_access allow CONNECT
always_direct allow CONNECT

First rule allows CONNECT method and second one tells squid not to redirect FTP connection to any other proxy (That is to let FTP clients connect directly to FTP servers).

Deny UltraSurf

Now everything is fine, but my employees are not that simple. They tried to bypass my squid proxy using different methods. One successful method they used was UltraSuf. So I blocked UltraSurf too!

To block UltraSurf you need to block SSL port which is 443, but this will deny you from login to your email! because almost every mailing website uses SSL (HTTPS) to login. You can simply solve that by allowing connections at 443 to each mail website separately like Gmail, Hotmail and Yahoo. But this is not practical.

I found another solution which is deny CONNECT method on ips (I think this will affect FTP connections, so if you do this make sure that you still can connect using FTP client) using this rule at squid.conf (let this rule be the first rule in your squid.conf):

acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
http_access deny CONNECT numeric_IPs all

Conclusion

Finally My employees are give up, and I am satisfied about that. Now I can leave my company and be sure that everything is going well. Although there are many ways to bypass my proxy and open facebook using tons of Anonymous browsing websites, but I hope that my employees will not hear about them!

Recommended Links

Google matched content

Softpanorama Recommended

Top articles

Sites



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: September 12, 2017