Blocking Facebook Web Trackers At The Firewall For Extra Privacy

If you've spent any time examining the network traffic to and from your web browser, you will notice the prolific number of trackers embedded in the pages. These "call home", tracking your movements across unrelated web pages. Big money is being made by turning you and your web activities in to commodities all while slowing down your net experience. This information is sold onwards, even to Redmond. How do you keep that information to yourself? After all, you're not the customer, you are the product being sold. You lose your privacy and gain nothing in return.

There are some add-ons to the web browsers that aid in privacy, but it is simple enough to block the rogue sites at the firewall. In this case we block Facebook, which seems to have tracking everywhere, but the same methods can apply to any trackers. First thing, we use whois to use the ip addresses of the offending sites to look up the network ranges in use by Facebook, which will be our example. The result turns out to be four subnets:

Edit 2012-11-15: As JR below points out, there is an easy way to get all the subnets:

/usr/bin/whois -h '!gAS32934' | tr ' ' '\n'

Next we add these addresses to the firewall. The method varies depending on the type of packet filter your system uses. For all of these, we REJECT the packet rather than DROP it. There are, of course, plenty of reasons to favor REJECT over DROP. In this case, the most important one is that we want to get immediate feedback that the site is blocked rather than waste time waiting for a timeout.

Below are three examples for the major types of filter. All of these examples will require root access, either via sudo or directly.


Linux with UFW

Some distros come with UFW or Uncomplicated Firewall. UFW is a text-based interface to iptables, consisting of a few simple commands and is designed to be easy to use. Several distros have it available. Fortunately, UFW can accept a network range as input.

ufw reject out to
ufw reject out to
ufw reject out to
ufw reject out to

The way to restore the factory defaults for UFW is to reset:

ufw reset


Plain Old Iptables

If your distro does not come with UFW or you are not accustomed to using it, you can work directly with iptables. Again, iptables can take a network range as input, like UFW does.

iptables -A OUTPUT -d -j REJECT
iptables -A OUTPUT -d -j REJECT
iptables -A OUTPUT -d -j REJECT
iptables -A OUTPUT -d -j REJECT

Clearing iptables takes three steps:

iptables -Z; iptables -F; iptables -X

More about iptables can be found at Oskar Andreasson's Iptables-tutorial.


BSD, including OS X

PF works for OS X, FreeBSD, NetBSD, DragonflyBSD and OpenBSD. Recent versions of OS X have started using OpenBSD's Packet Filter (PF), OS X being based on BSD. The regular BSDs all use this filter since way back.

Tables are the easy way to hold the list of networks to be blocked. The following two lines get added to the configuration file pf.conf in their appropriate places.

table <trackers> persist {,,, } 
block quick to <trackers>

Next, load the ruleset into PF.

pfctl -f pf.conf

Be sure to keep a backup copy of your filter rules. More about PF can be found in Peter Hansteen's Firewalling with PF or his book, The Book of PF, 2nd edition.



Blocking at the firewall will stop every form of tracking from the sites blocked. In some cases it will even speed up loading and rendering, as fewer calls to remote servers are made. These tracking requests can consume bandwidth. If you are on a slow connection or one with bandwidth caps, that is also something to think about. Facebook was used as the example in the above material, but the same method can be applied to protect from other trackers.

Share this page:

11 Comment(s)

Add comment


From: at: 2012-11-12 16:28:16

have immidiately integrated your rules into my wlan router's firewall rules

From: jr at: 2012-11-12 17:48:37

For Linux: to block all IP addresses currently owned by Facebook use:

/usr/bin/whois -h '!gAS32934' | head -n -1 | tail -n -1 | /usr/bin/xargs --max-args=1 | /usr/bin/xargs -I {} --max-args=1 /sbin/iptables -t mangle -I POSTROUTING -d {} -j DROP

From: at: 2012-11-15 14:31:06

Thanks, that's much more thorough.

From: at: 2012-11-15 14:51:15

It would be important to use REJECT instead of DROP so that you get a prompt response rather than a sluggish timeout.

From: daniel at: 2012-12-23 18:15:37

Thank you for this great HowTo!

The above command leads to the following (additional) IP-Ranges:

From: Anonymous at: 2012-11-13 01:52:03

There is a typo in two places

should be

Two-bit netmask seems to be excessive :-)

From: at: 2012-11-15 14:26:53

Thanks. I've updated the table.

From: Anonymous at: 2012-11-13 19:01:07

I guess that blocking the facebook trackers also blocks facebook?

From: Scanman at: 2012-11-15 06:29:11

The ghostery addon in firefox gives me insight in which url adress is actually a tracker. Then a whois reveals their IP. Thanks for this article, my iptables are up to date now.

From: XfceEvangelist at: 2013-05-21 12:35:17

This is what exactly I was looking for.

A very big thank you from Italy.

From: Anonymous at: 2014-01-16 05:28:27

Thank you very much...It have very useful for block facebook in my school computer network