Thursday, May 24, 2012

IPCop :: block facebook hhpd - altenative

As we know, Squid’s transparent proxy cannot filter https traffic, but we can block it using iptables. Here are some tricks how to block https traffic from Facebook using IPcop version 1.9.x.

The easiest way to block Facebook’s https traffic is by blocking its IP range. You don’t have to find the specific IP for Facebook to block it. As we know, Facebook has a lot of public IP addresses.


1. From the IPcop gui-menu, go to Firewall –> Addresses

2. Put Name, Address format (make sure you choose IP here), Address and Netmask.

3. Here is the tricky part. For the Address and Netmask, put these IP addresses.

4. From the whois information, you can see at least this range belongs to
bsd@genetics:~$ whois
# Query terms are ambiguous.  The query is assumed to be:
#     "n"
# Use "?" to get help.
# The following results may also be obtained via:
NetRange: -
OriginAS:       AS32934
NetName:        TFBNET1
NetHandle:      NET-204-15-20-0-1
Parent:         NET-204-0-0-0-0
NetType:        Direct Assignment
NameServer:     NS5.FACEBOOK.COM
NameServer:     NS4.FACEBOOK.COM
NameServer:     NS3.FACEBOOK.COM
Comment:        Contact with issues.
RegDate:        2005-08-08
Updated:        2010-07-08
OrgName:        Facebook, Inc.
OrgId:          THEFA-3
Address:        1601 S. California Ave
City:           Palo Alto
StateProv:      CA
PostalCode:     94304
Country:        US
RegDate:        2004-08-11
Updated:        2010-04-09
OrgTechHandle: OPERA82-ARIN
OrgTechName:   Operations
OrgTechPhone:  +1-650-543-4800
RTechHandle: OPERA82-ARIN
RTechName:   Operations
RTechPhone:  +1-650-543-4800
RAbuseHandle: OPERA82-ARIN
RAbuseName:   Operations
RAbusePhone:  +1-650-543-4800
RNOCName:   Operations
RNOCPhone:  +1-650-543-4800
# ARIN WHOIS data and services are subject to the Terms of Use
# available at:

5. Then proceed to Firewall –> Address Groups, create new Address Group Name (e.g Facebook), then select Custom Addresses inside that group.

6. Next, proceed to Firewall Rules –> Outgoing Traffic, then configure your firewall as below :
Default networks = Green Networks
Destination --> Address Groups -->Facebook
Tick Use Service --> Default Services --> https (443)
Additional --> Tick Rule enabled, Rule Action -->Drop, Remark -->Facebook https blocked
Click Save

7. Make sure these rules stay above any other rules.

8.  After this, point your browser at If you have understood and done things right, you should be unable to open https Facebook and get a timeout message.

1 comment:

Harry Opine said...

Hello, good write up.

We are responsible for a fairly large organization, and had to implement our own in house web filtering solution, using open source content filter applications or hardware solutions. We decided that using ipcop to redirect to squid with blacklists from was the best value and most effective solution at the price point we needed. We found that the free blacklists available were really a poor choice.

Anyway, hopefully someone finds the experience useful.