Block Facebook Trackers on Your Network With PF
20 Dec 2020One of the first things I do when setting up a new firewall is block the hundreds of thousands of IP addresses owned by Facebook. Facebook is the second largest tracking network on the internet with coverage of almost one third of all internet sites. As someone that does not have a Facebook account, I have no need to ever access their site so I may as well block all IP addresses that could be used for tracking. This example blocks Facebook's IP ranges at the network level, however this could also be applied on a per computer basis. So let's get started.
The first step is to compile a list of all IP ranges owned by Facebook. This can be done by looking up all IP addresses Facebook owns according to their ASN:
whois -h whois.radb.net '!gAS32934'
At the time of this writing, it gives the list of IP ranges below. I'd recommend pulling a fresh list and updating it every once in a while. The first step is to add those ranges to a table in /etc/pf.conf. In this example, we're editing the config file in an OpenBSD firewall/router, however this could be applied to any system running PF. Alternatively, these IP ranges could be aliased in your pfSense or OPNsense configs with a similar setup.
table <facebook> { 69.63.176.0/20 66.220.144.0/20 66.220.144.0/21 69.63.184.0/21 69.63.176.0/21 74.119.76.0/22 69.171.255.0/24 173.252.64.0/18 \
69.171.224.0/19 69.171.224.0/20 103.4.96.0/22 69.63.176.0/24 173.252.64.0/19 173.252.70.0/24 31.13.64.0/18 31.13.24.0/21 \
66.220.152.0/21 66.220.159.0/24 69.171.239.0/24 69.171.240.0/20 31.13.64.0/19 31.13.64.0/24 31.13.65.0/24 31.13.67.0/24 \
31.13.68.0/24 31.13.69.0/24 31.13.70.0/24 31.13.71.0/24 31.13.72.0/24 31.13.73.0/24 31.13.74.0/24 31.13.75.0/24 31.13.76.0/24 \
31.13.77.0/24 31.13.96.0/19 31.13.66.0/24 173.252.96.0/19 69.63.178.0/24 31.13.78.0/24 31.13.79.0/24 31.13.80.0/24 31.13.82.0/24 \
31.13.83.0/24 31.13.84.0/24 31.13.85.0/24 31.13.86.0/24 31.13.87.0/24 31.13.88.0/24 31.13.89.0/24 31.13.91.0/24 31.13.92.0/24 \
31.13.93.0/24 31.13.94.0/24 31.13.95.0/24 69.171.253.0/24 69.63.186.0/24 31.13.81.0/24 179.60.192.0/22 179.60.192.0/24 \
179.60.193.0/24 179.60.194.0/24 179.60.195.0/24 185.60.216.0/22 45.64.40.0/22 185.60.216.0/24 185.60.217.0/24 185.60.218.0/24 \
185.60.219.0/24 129.134.0.0/16 157.240.0.0/16 157.240.8.0/24 157.240.0.0/24 157.240.1.0/24 157.240.2.0/24 157.240.3.0/24 \
157.240.4.0/24 157.240.5.0/24 157.240.6.0/24 157.240.7.0/24 157.240.9.0/24 157.240.10.0/24 157.240.16.0/24 157.240.19.0/24 \
157.240.11.0/24 157.240.12.0/24 157.240.13.0/24 157.240.14.0/24 157.240.15.0/24 157.240.17.0/24 157.240.18.0/24 157.240.20.0/24 \
157.240.21.0/24 157.240.22.0/24 157.240.23.0/24 157.240.0.0/17 69.171.250.0/24 199.201.64.0/24 199.201.65.0/24 199.201.64.0/22 \
204.15.20.0/22 157.240.192.0/24 157.240.198.0/24 102.132.96.0/20 102.132.96.0/24 102.132.97.0/24 157.240.26.0/24 157.240.27.0/24 \
157.240.28.0/24 157.240.29.0/24 157.240.30.0/24 129.134.28.0/24 129.134.29.0/24 157.240.208.0/24 157.240.193.0/24 157.240.194.0/24 \
157.240.195.0/24 157.240.197.0/24 157.240.196.0/24 157.240.200.0/24 157.240.201.0/24 157.240.203.0/24 157.240.204.0/24 \
157.240.205.0/24 157.240.206.0/24 157.240.207.0/24 157.240.209.0/24 157.240.210.0/24 157.240.211.0/24 157.240.212.0/24 \
157.240.213.0/24 157.240.214.0/24 157.240.215.0/24 157.240.216.0/24 157.240.222.0/24 129.134.30.0/24 129.134.31.0/24 \
129.134.30.0/23 129.134.25.0/24 129.134.26.0/24 129.134.27.0/24 102.132.99.0/24 102.132.101.0/24 102.132.102.0/24 102.132.104.0/24 \
102.132.105.0/24 102.132.106.0/24 102.132.107.0/24 102.132.109.0/24 102.132.110.0/24 129.134.64.0/24 129.134.65.0/24 \
129.134.66.0/24 129.134.67.0/24 157.240.219.0/24 157.240.202.0/24 157.240.217.0/24 157.240.218.0/24 157.240.199.0/24 \
129.134.127.0/24 157.240.223.0/24 157.240.192.0/18 157.240.221.0/24 157.240.220.0/24 173.252.88.0/21 129.134.68.0/24 \
129.134.69.0/24 129.134.70.0/24 157.240.24.0/24 157.240.25.0/24 102.132.100.0/24 157.240.31.0/24 157.240.224.0/24 129.134.71.0/24 \
157.240.225.0/24 157.240.226.0/24 157.240.227.0/24 129.134.0.0/17 129.134.72.0/24 129.134.73.0/24 129.134.74.0/24 185.89.219.0/24 \
185.89.218.0/24 185.89.218.0/23 185.89.216.0/22 147.75.208.0/20 204.15.20.0/22 69.63.176.0/20 69.63.176.0/21 69.63.184.0/21 \
66.220.144.0/20 69.63.176.0/20 }
This table allows us to reference the entire list easily by using the table name <facebook>.
At this point we only need one rule now in order to block them. This rule will prevent any traffic going out to the internet destined for an IP in any of the ranges indicated above and provide a quick fail response so that your browser isn't left trying to continuously connect. It assumes that you have an alias defined for your WAN interface; for example: WAN="em1". Otherwise, just swap your network interface name in instead of $WAN. This line goes below all aliases, lists, and tables in /etc/pf.conf.
block return out quick on $WAN from any to <facebook>
And we're done. To verify you've set it up correctly, I'd recommend doing some quick tests to confirm that you can't ping facebook.com or visit the website.