09 August, 2011

How to Block https www.facebook.com

There are so many questions on how to block https facebook.com in the internet, yet there is no easy answer for it. Facebook and other social networking are blocked in school and other other establishment for the reason that it affects the learning process of students and productivity of employees.

In my case, I been blocking facebook.com in pfsense server through squid. Although it is working perfectly , some users have found a way out by accessing the same url with https in place of http.  To solve the problem I need to block https facebook in firewall rules.

To do this  of course we need to a pfsense firewall in our network. We need to download the pfsense installer from this link. You need also to install the squid proxy server to block some of the restricted websites. Here is how to install and configure Squid as a transparent proxy on pfSense

Assuming that you already have pfSense setup. The next thing that we’re going to make is an alias. Select ‘Aliases’ from the firewall menu. Hit the ‘+’ icon to make a new one. You’ll see a screen that looks like this:
Provide the name of the alias, add the host, set the type of an alias as a network ,you can also add a description, and most importantly, you’ll need to specify it by IP address then select the CIDR (network mask) that pertains to each entry. Please refer to this post, Facebook IP addresses, to use the appropriate facebook IP addresses.

Create another alias for the port. Use port 443 for https and port 80 for http websites.
We’ve created the needed aliases, so now we need to tell pfSense to do something about it. So, from the Firewall menu again, add a Rule. We need the rule to go on our LAN tab.
Set the above rules based on these criteria:
  • Reject the the traffic from the LAN
  • TCP connections
  • source is LAN subnet
  • Destination - select host or alias and put in the name of your alias.
  • Set the Destination ports as other and select https
  • No need for any of the advanced options
  • leave the schedule as none
  • leave the gateway default
  • and give it a descriptive name for future reference. 
  • Now, Save and Apply. You’re done.
This is the easy way to block HTTPS websites including facebook.com in pfsense server. If there are better methods to  block https websites, please leave a comment on this page.

UPDATEIn addition, you can use www.nwtools.com to determine the CIDR of the sites you wish to block. 

13 comments :

  1. but facebook's IP addresses are plenty. How do you block them all?

    ReplyDelete
  2. Please refer to this page..
    The IP addresses of Facebook


    I been using these IP addresses of facebook and it's working.

    ReplyDelete
  3. hi sir how about CIDR needed in the settings?

    ReplyDelete
  4. Using squid in non-transparent mode will block https. You need to set up pfsense as a wpad server, or alternatively set each client browser manually to access the proxy.Plenty of info on the pfsense site, not difficult to do.

    ReplyDelete
  5. It works well. I tried it by blocking rapidshare.com. Thanks!

    ReplyDelete
  6. I used OpenDNS...

    ReplyDelete
  7. If u have Good antivirus with parental control , then u can block https site on that particular PC. It will be the best if u have server edition.
    I have Quickheal 2013 total security . it works great.
    From
    Nitin-India

    ReplyDelete
  8. very heplpful thanks!

    ReplyDelete
  9. Squid in non-transparent mode is the ideal way to really control things. Use firewall to:
    1. block all outbound DNS (port 53) unless destination is NortonDNS/OpenDNS/etc
    2. block all outbound to port 80 and 443 (this forces all clients to use proxy port ie. 3128 default for squid)
    3. use dhcp server to enforce static mappings (meaning you cannot hardcode a static ip if you have exclusions for the proxy)
    4. alternately try ip-guard-dev to maintain an ip to mac pairing.

    Its a bit of work to setup and not exactly easy to learn, but the results are you have control of your network.

    Once you start using a proxy you will find certain things, like online games, are hard coded to use a specific port (like 80) and won't work with a proxy. In these cases if you want to allow this, create an alias that has the ip of the url (or the ip/cdr of the network) and allow that specific traffic to pass.

    So many great options available and its free. All you need to do is spend the time to learn.

    ReplyDelete
  10. Check with your web empower network blog beast () host to see what is being said so those further from the speaker can hear.
    This is of utmost importance and bloggers need to consider one of the following,
    or not quite enough food, or unplugging your fridge
    and turning your hot water off. Ask a SEO consultant for further information
    and assistance if you are trying to attract and that offer favorable commission terms.

    ReplyDelete
  11. i have successfully blocked https://www.facebook.com
    but now how can i unblock facebook to specific users
    I am using pfsense 2.0 with squid and light squid with transparent mode

    ReplyDelete
  12. Hello i have to use this way to block https it success but when client change their ip address dns to 8.8.8.8 they can open facebook vai https://www.facebook.com. please help me find this solution thank

    ReplyDelete
  13. Hello! i have successfully blocked https://www.facebook.com but when client change dns ip to 8.8.8.8 or 8.8.4.4 they can open facebook again vai https, please help how to do that ?

    ReplyDelete