I wrote this guide for blocking Fb:
https://myria.math.aegean.gr/~atsol/newpage/software/blockfacebook/blockfacebook.html
Maybe some people are interested in this. If I have made any mistake please write to me. So far it works fine on my machine.
11 Likes
I do it differently by adding lines like this in /etc/hosts :
127.0.0.1 facebook.net
127.0.0.1 facebook.com
127.0.0.1 fbcdn.net
127.0.0.1 fbcdn.com
127.0.0.1 fbsv.net
127.0.0.1 tfbnw.net
127.0.0.1 doubleclick.net
…
Your way:
- Is much more complex, but goes much more deeper and is much more complete
- automatic update getting new IPs linked to new domain names, but then depend on a third party
For ease of use, you could add the setuid bit to your scripts:
chown root blockfacebook allowfacebook
chmod u+s blockfacebook allowfacebook
so you won’t have to sudo every time you want to block or allow the company
if you do this, put the full path for all piped programs in your scripts, or unalias
my 2 cents 
2 Likes
Thanks for the +s tip. It is cool.
Yes the /etc/hosts is also a nice solution but I did not know how to get all these names. Google has 7427 IPs registered in its AS (just checked).
And for Google your solution maybe better because someone may still want to access for example Gmail but not doubleclick.net
I looked a bit more at it and I feel there is something wrong the way you do:
If I want to block Purism:
> host puri.sm
puri.sm has address 138.68.253.24
> whois -h whois.radb.net 138.68.253.24
route: 138.68.240.0/20
changed: noc@digitalocean.com 20180515 #16:52:17Z
member-of: RS-Digitalocean
origin: AS14061
source: RADB
descr: DigitalOcean
mnt-by: MAINT-AS14061
> /usr/bin/whois -h "whois.radb.net" -- '-i origin AS14061' | grep route: | wc -l
867
Everything you block is an address range, not a complete IP
Does Purism really own 867 ranges of IP addresses ? (from /16 to /24)
here, if your script blocks 138.68.240.0/20, you won’t be able to access
composers.io => 138.68.253.6
getfinbox.com => 138.68.253.251
sportsprovision.com => 138.68.240.193
I’m afraid your way blocks much more than your main target 
Am I missing something ?
1 Like
@antonis, I think I love you. 
This is a great supplement to, e.g. uBlock Origin with its Anti-Social blocklist or NoScript, which only work in the browser (certain ones), and Pi-hole on the home network, which may be bypassed by any VPN you’re running, or probably isn’t being used when you’re away from home (unless you remote into it).
Now, please link your instructions to every forum far and wide. Hit Meta where it hurts.
Any thoughts to turn this into an Android or iOS app?
I encountered:
chmod +x /etc/systemd/system/blockfacebook.service chmod: changing permissions of '/etc/systemd/system/blockfacebook.service': Operation not permitted
and:
chmod +x /etc/cron.daily/blockfacebookrestart chmod: changing permissions of '/etc/cron.daily/blockfacebookrestart': Operation not permitted
So I just went to my files, opened the destination folders as administrator and made those two files executable that way. Assuming that’s not a problem…?
I suppose the command just needed sudo added.
Thank you @amarok . You must be root to chmod +x in those folders. So sudo chmod… should work. So what you did is correct. As admin.
Now about what @fralb5 asks. I wrote these instructions for Facebook. True I wrote that applies to other companies. This maybe is false. I guess Purism buys/rents its IP blocks from DigitalOcean. So when you follow this approach you block the whole DigitalOcean ranges.
But hey, If you buy IPs from Meta/Facebook then you probably spy the same way as the mother company does.
So my approach will not work for purism. But who wants to block purism?
So what you found is a bug in my saying that this way you block any other company. I will remove this comment and leave it for Facebook. A think a criteria is that when execute whois -h etc this method will work if the AS belongs to the company, as it is true for Facebook.
The AS for purism does not belong to purism, so this is not a proper method. But we should not lose focus. The problem here is Fb.
One could argue that Google too is a problem. But Google can not be blocked that way, because for example so many sites use their fonts.
1 Like
And recaptchas. 
!
But I block Google fonts in my browsers.
Yeah and recaptchas How to bypass Google. So many sites will fail.
And I really do not understand administrators. Why they do not provide the free fonts of Google from their site with a css? It makes no sense to make your site dependent to Google for such a simple thing.
1 Like
There’s probably too much “prepackaged website tools” available to make website construction easy (and profitable to data-abusing Big Tech).
About my Android app suggestion, I suppose a device would have to be rooted first, right?
It could use a VPN connection.
1 Like
I wonder if you could use the terminal emulator to implement it on a non-rooted Android…? (I haven’t used that much.)
Is iptables available on Android? I just do not know. I am sure you need to root it first for this method or for modifying /etc/hosts/
I still miss @fralb5 how do you get the list of hosts for /etc/hosts/
Blocking Purism was a concret example to show a problem/limitation in your method that could lead to block an other legit website
I could have said I want to block the company behind composers.io, and as result I end up also blocking puri.sm
Sadly it’s a manual list, nothing automatic, it’s my own list growing when I find out about a tracker, or a scammer, or a shitty website I don’t want to click on again
Today I added 2 entries (fbsv.net and tfbnw.net, thanks to you ) I found when I searched a DNS for every IP in one of the facebook IP range
1 Like
You could just add one of these: https://github.com/StevenBlack/hosts
I load one of them in Pi-hole on my network, but you could use them on a single machine. You’d need to replace a list with its updated version from time to time, though.
I also use this and other lists with Blokada on my /e/OS Android.
1 Like
Maybe not super helpful, but MXLinux has some utility to add block lists to /etc/hosts. I don’t really know much about it though.
I would guess that too.
Based on my experience, that isn’t necessarily a bad outcome. 
I get unending attacks from Digital Ocean IP addresses (since anyone can rent a virtual server from them and run any old malicious crap). I am progressively permanently blacklisting Digital Ocean’s IP addresses i.e. ones that are actual sources of attack but maybe eventually my patience runs out and I just nuke the /17 (or whatever).
Digital Ocean does have multiple ranges though. Maybe some are worse than others. They really need to set up separate “trusted” / “certified” ranges i.e. separated from the “untrusted” (any old malicious crap). Maybe they have already done that.
Bottom line: Your approach (using AS numbers) works well for a company the size of Facebook. It won’t work adequately for smaller companies.
Personally, at home, I just use DNS poisoning.
What does DNS poisoning need to work?
I added a section to the above link that explains that this will not work for small companies who do not register their own AS number but rent IP blocks.
2 Likes
DNS poisoning is what @amarok is doing. It basically means that someone intentionally injects false DNS results. So instead of blackholing the right IP address (what you are doing), you get your web browser to connect to the wrong IP address (which then either fails completely or gives other errors or works - but in any case prevents tracking information being sent to the snooping web site, such as Google). Each approach has its advantages and disadvantages.
DNS poisoning can be something that you do for yourself using your own DNS server, such as Pi-hole. Pi-hole is widely used software for this. I believe the name comes from the idea that you run it on a Raspberry Pi - hence very low cost to get going - but you can run it on x86 hardware, and on a variety of distros. You could run it locally (zero hardware cost) in order to affect only just that one computer or run it as the LAN’s DNS server in order to affect most or all computers on the LAN.
Or DNS poisoning can be something that your ISP does when compelled to by your government. (So obviously DNS poisoning can be a good thing or a bad thing, depending on who is using it and on what it is used for.)
You can even combine the two - where you un-poison (by injecting true DNS results) with your own DNS server where your ISP would poison the results if you let it.