Home » Categories » Multiple Categories
Icon Printer Icon Email      Icon Twitter Icon Digg Icon Stumbleupon Icon de.icio.us Icon FaceBook

How to block Facebook


There are few possible options you can use to limit, block or deny the access to the Facebook site or its applications.

This article is a guide only. It is not an ultimate solution to the problem, but it can solve it in most cases.

For Kerio Control 8.2 and higher, read article Configuring the Content Filter first.


HTTP access

Use HTTP policy rules to block facebook access

In Kerio Control you can use the HTTP content filtering to block access to certain URL addresses. It is easy to create a denying rule in HTTP policy rules to block Facebook URL. An example of such rule is below:

You can also block the HTTPS access using this rule if you apply Also apply to secured connectrions (HTTPS) option in the rule.


This option is available since Kerio Control 7.4.1. version.

HTTPS access

It can happen that HTTPS traffic is not blocked by default denying rule. This can happen in case the site does not provide enough information to be blocked by denying rule (see following article for more details). In this case you can find following other methods helpful.

Block IP address ranges used by Facebook

The best possible way is to block IP address ranges used by Facebook servers. This IP address list may change in time, so it is worth to monitor the IP range time to time to update it to include new or changed IP addresses ranges.

Following IP address ranges are known to be used by Facebook:

  • -
  • -
  • -
  • -

Additional IP ranges which may be assigned to Facebook Inc. (Optional)


Following IP address range was known to be owned by Facebook Inc. in time of creation of this article. This may change over time and we do not guarantee there are any other services running on these IP addresses.

Create a blocking traffic policy rule for the Facebook IP address group. An example below is done to block Facebook from Trusted network (Local Area Network).

Change the host file on local machines to point to non-existing site

Using Active Directory domain policy it would be possible to change the host file on each local machine in the network. As every computer looks to this file before it sends the request to the DNS server, it could be a solution to point www.facebook.com to a non-existng site to prevent access to the facebook.


Use Kerio Connect host file to point DNS record of facebook to a denying page

It is possible to change DNS forwarder of Kerio Control to point facebook.com DNS requests to some other DNS server, or to change the IP address it responds to the client. This way you can redirect the client to some other HTTP server with a denying page displaying it is forbidden content. This solution is analogous to the solution with HOST file, except it is done on Kerio Control side.

www.facebook.com   [DenyIPAddress]

Use custom DNS forwarding to point DNS query to DNS server resolving the facebook.com domain names to a denying page

It is possible to use custom DNS forwarding feature of Kerio Control to point all DNS queries having format of *facebook.com* to a DNS server (eg. MS DNS server), which can act as DNS server for facebook domain resolving DNS queries to a not existent or a denying HTTP server (IP address of denying page).

Following example redirects all DNS queries for facebook.com domain to DNS server (eg. MS DNS server), which can respond with a fake IP address pointing the client to a different server with a denying text.


comments powered by Disqus