QR Code contains TinyURL of this article.Blocking Facebook on OS X

Facebook Prohibited

A recent article on The Verge, “Facebook begins tracking non-users around the Internet,” raised my hackles. I have never had an account on Facebook as I don’t particularly want to support a business operating almost exclusively on the tenet that the user is the product.

Now, whether I want it to or not, Facebook is going to try to track and profile me. But I shouldn’t object, I should embrace it, after all Facebook surely has my best interests in mind:

“Facebook believes it can more accurately target non-members using the vast amounts of data it already has on the nearly 1.7 billion people who use the site. The company says it can use that data to make inferences about the behaviour of non-members, an approach known as ‘lookalike’ targeting. ‘Because we have a core audience of over a billion people who we do understand, we have a greater opportunity than other companies using the same type of mechanism.’” Andrew Bosworth, vice president of Facebook’s ads and business platform, speaking with the Wall Street Journal

That’s great. Thanks Mr. Bosworth, but no thanks.

I have enabled Do Not Track in my web-browser but Facebook does not honour that request.1  The company has no respect for an individual’s privacy. So here’s what I’m going to do: I’m going to block all traffic from my computer to Facebook.

To do this, I’m going to use PF, the packet filtering firewall that OS X provides.

In order to configure a PF rule to block them, I need to find all the external IP address blocks that Facebook operates with. How? Well Facebook is a large organisation, with countless servers and other Internet-facing appliances spread around the planet. In all likelihood, they’ll qualify for an Autonomous System Number. A quick Google search for facebook asn confirms this and reveals their ASNAS32934.

In the terminal, I can retrieve a list of all IP address ranges associated with that ASN with the following command:

whois -h whois.radb.net '!gAS32934' | tr ' ' ', '

which returns a list covering ~60,000 IP addresses at the time of writing.

I take the resulting comma-separated list and add it into a new rule in the pf.conf file on my Mac:2

table <facebook> persist { 204.15.20.0/22, 69.63.176.0/20, 66.220.144.0/20, 66.220.144.0/21, 69.63.184.0/21, 69.63.176.0/21, 74.119.76.0/22, 69.171.255.0/24, 173.252.64.0/18, 69.171.224.0/19, 69.171.224.0/20, 103.4.96.0/22, 69.63.176.0/24, 173.252.64.0/19, 173.252.70.0/24, 31.13.64.0/18, 31.13.24.0/21, 66.220.152.0/21, 66.220.159.0/24, 69.171.239.0/24, 69.171.240.0/20, 31.13.64.0/19, 31.13.64.0/24, 31.13.65.0/24, 31.13.67.0/24, 31.13.68.0/24, 31.13.69.0/24, 31.13.70.0/24, 31.13.71.0/24, 31.13.72.0/24, 31.13.73.0/24, 31.13.74.0/24, 31.13.75.0/24, 31.13.76.0/24, 31.13.77.0/24, 31.13.96.0/19, 31.13.66.0/24, 173.252.96.0/19, 69.63.178.0/24, 31.13.78.0/24, 31.13.79.0/24, 31.13.80.0/24, 31.13.82.0/24, 31.13.83.0/24, 31.13.84.0/24, 31.13.85.0/24, 31.13.86.0/24, 31.13.87.0/24, 31.13.88.0/24, 31.13.89.0/24, 31.13.90.0/24, 31.13.91.0/24, 31.13.92.0/24, 31.13.93.0/24, 31.13.94.0/24, 31.13.95.0/24, 69.171.253.0/24, 69.63.186.0/24, 31.13.81.0/24, 179.60.192.0/22, 179.60.192.0/24, 179.60.193.0/24, 179.60.194.0/24, 179.60.195.0/24, 185.60.216.0/22, 45.64.40.0/22, 185.60.216.0/24, 185.60.217.0/24, 185.60.218.0/24, 185.60.219.0/24, 129.134.0.0/16, 157.240.0.0/16, 204.15.20.0/22, 69.63.176.0/20, 69.63.176.0/21, 69.63.184.0/21, 66.220.144.0/20, 69.63.176.0/20 }
block quick to <facebook>

I save that, then load the rules into PF:

sudo pfctl -f /private/etc/pf.conf

Then — the moment of truth — I instruct my web-browser to go to facebook.com and, for a long time, nothing… then the browser simply times-out. The firewall has prevented the network request to facebook.com and I can rest easy knowing that my computer is passing no information to that parasitic organisation.

An extreme tactic? Maybe, or perhaps Facebook should simply respect the wishes of those of us who do not want to participate in their “user is the product” model.

  1. Why would they? To do so would undermine their business model. ↩︎

  2. This location of this file is /private/etc on my Mac. It might be in a different path on your machine. Use: sudo find / -name "pf.conf" to locate it. ↩︎