Blocking Facebooks networks on ASA firewall

Table of contents

  1. Facebook and GDPR
  2. Query whois for Facebook ASN
  3. Create ACL
  4. Background information

Facebook and GDPR

If web site owners embed a facebook like button, personal data is transferred to facebook and those web sites violate against Europe’s GDPR laws.

To protect myself from other web sites illegal GDRP violations I implemented an access control list for facebook’s network ranges on my ASA firewall.

Query whois for Facebook ASN

To get all IP ranges (in this case legacy IPv4 ranges) I am going to query with whois facebook’s Autonomous system number AS32934. The command line below will give me all IPv4 ranges assigned to facebook.

    ~$ whois -h -- '-i origin AS32934' | grep 'route:'
    ...and so on...

Create ACL

Based on above network list (about 90 network ranges) I can build up an Access Control List like this:

    name zzz-facebook.
    ...and so on...
    object-group network grp-facebook-networks
      network-object object zzz-facebook.
      ...and so on...
    access-list inside_access_in extended deny ip object [LOCAL-NETWORK]
    object-group grp-facebook-networks

Background information

For background information see (in German):

Verbraucherzentrale: EuGH-Generalanwalt äußert sich zum Like-Button… and WBS Rechtsanwaelte: Facebook Like Button vor dem EuGH… or in english The Register: Facebook Like, social sharing buttons on your website may land you in GDPR hot water…