Support /
Knowledge Base

How to block Facebook

Facebook (and some other social web sites) allow access over both HTTP and HTTPS.

Syneto’s web content filter works by default in transparent mode, so it is not able to filter HTTPS sites. This means that in transparent mode even though you have selected to block “Social Networking” sites, Facebook over HTTPS does not get blocked.

To be able to block Facebook you have several options:

  • use web content filter in non-transparent mode
  • filter Facebook’s IP address ranges

Use web content filter in non-transparent mode

Syneto’s web content filter can act as a non-transparent proxy by:

  • dropping direct HTTPS connections (by adding a filter to block port 443 – HTTPS from internal network to ‘any’)
  • configuring the client’s browsers to use the Syneto UTM’s IP as an HTTP and HTTPS proxy (on port 3129)

Filter Facebook’s IP address ranges

At the time of writing, Facebook uses the following IP networks:

  • 66.220.144.0 netmask 255.255.240.0
  • 69.63.176.0 netmask 255.255.240.0
  • 69.171.224.0 netmask 255.255.224.0
  • 204.15.20.0 netmask 255.255.252.0
  • 65.201.208.24 netmask 255.255.255.248
  • 65.204.104.128 netmask 255.255.255.240
  • 66.92.180.48 netmask 255.255.255.240
  • 66.93.78.176 netmask 255.255.255.248
  • 66.199.37.136 netmask 255.255.255.248
  • 67.200.105.48 netmask 255.255.255.252
  • 74.119.76.0 netmask 255.255.252.0
  • 173.252.64.0 netmask 255.255.192.0

To filter these networks you will have to create the network definitions that you then add to a group. This can be done from the web configuration interface or from CLI using the following commands:

config def add net fb01 66.220.144.0 255.255.240.0
config def add net fb02 69.63.176.0 255.255.240.0
config def add net fb03 69.171.224.0 255.255.224.0
config def add net fb04 204.15.20.0 255.255.252.0
config def add net fb05 65.201.208.24 255.255.255.248
config def add net fb06 65.204.104.128 255.255.255.240
config def add net fb07 66.92.180.48 255.255.255.240
config def add net fb08 66.93.78.176 255.255.255.248
config def add net fb09 66.199.37.136 255.255.255.248
config def add net fb10 67.200.105.48 255.255.255.252
config def add net fb11 74.119.76.0 255.255.252.0
config def add net fb12 173.252.64.0 255.255.192.0
config def add netgroup facebook fb0{1..9} fb1{0..2}

After creating the ‘facebook’ group from CLI or web interface you will have to add a REJECT or DROP filter with ‘Destination network’ ‘facebook’. Make sure it’s the first rule in the list.