- /
- /
- /
Using Firewall Rules
If a website rarely changes IP addresses, access to it can be blocked using an alias containing its IP addresses and then using this alias in firewall rules.
| Warning: This is not a feasible solution for sites that return low TTLs and spread the load across many servers and/or datacenters, such as Google and similar large sites. Most small to mid sized websites can be effectively blocked using this method as they rarely change IP addresses. |
A hostname can also be inside a network alias. The hostname will be resolved periodically and updated as needed. This is more effective than manually looking up the IP addresses, but will still fall short if the site returns DNS records in a way that changes rapidly or randomizes results from a pool of servers on each query, which is common for large sites.
Another option is finding all of a site’s IP subnet allocations, creating an alias with those networks, and blocking traffic to those destinations. This is especially useful with sites such as Facebook that spread large amounts of IP space, but are constrained within a few net blocks. Using regional registry sites such as ARIN can help track down those networks. For example, all of the networks used by Facebook in the region covered by ARIN can be found at http://whois.arin.net/rest/org/THEFA-3.html under “Related Networks”. Companies may have other addresses in different regions, so check other regional sites as well, such as RIPE, APNIC, etc.
As an alternative to looking up the IP blocks manually, locate the target company’s BGP Autonomous System (AS) number by doing a whois lookup on one of their IP addresses, then use that to find all of their allocations. For example, Facebook’s AS number is AS32934:
| # whois -h whois.radb.net — ‘-i origin AS32934’ | awk ‘/^route:/ {print $2;}’ | sort ˓→| uniq |
Copy the results of that command into a new alias and it will cover all of their currently allocated networks. Check the results periodically for updates.