Allow only specific ip

#1

hello

my firewall rules and content blocking was block in the default so how can i allow only one specific IP to facebook? for eg. 192.168.0.10 allow to facebook?

thanks

0 Likes

#2

This is not easy at all at Layer 3.
Blocking (or allowing) access to a web service as complicated as Facebook with its multiple regions, CDNs, and sources of data is not simply a question of adding allow rules for a few destination IPs from your LAN client.

I mostly see this level of filtering performed at a DNS level (ie https://www.opendns.com/home-internet-security/ for home and https://www.ciscoumbrella.com for work), or with dedicated appliances.

At home I run a dedicated SSID for guest / family device use that routes all traffic via a free Sophos UTM virtal machine https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

1 Like

#3

As @MartinLangmaid has suggested, this is a bit of a challenge. We use PiHole (https://pi-hole.net/) for that sort of thing and then exempt certain LAN addresses if needed. (You’d be amazed at all the attempts various sites make to load data from Facebook.)

1 Like

#4

As noted Facebook has a lot of different IPs to block but if all you want to do is block unsophisticated users from wasting time on Facebook you can do it with a few firewall rules. Remember that the rules apply to the first one that matches, so when the session matches the first rule below for ALLOW, the second rule does not apply.

Firewall Outbound rules:
source=exempted IP, destination=domain name facebook.com (or simply list “any”), ALLOW
source=any, destination=domain name facebook.com, DENY

Or you can do it in the content blocking section:

QoS > User Groups: Assign the exempt IPs to the Manager group

Firewall > Content blocking: Add facebook.com to the custom domain block list. Then click Manager under exempted user groups.

Neither of these will stop someone from typing in facebook’s IP address directly.

1 Like