Blocking Facebooks networks on ASA firewall

If web site owners embed a facebook like button, personal data is transferred to facebook and those web sites violate against Europe’s GDPR laws.

To protect myself from other web sites illegal GDRP violations I implemented an access control list for facebook’s network ranges on my ASA firewall.

To get all IP ranges (in this case legacy IPv4 ranges) I am going to query with whois facebook’s Autonomous system number AS32934. The command line below will give me all IPv4 ranges assigned to facebook.

    ~$ whois -h whois.radb.net -- '-i origin AS32934' | grep 'route:'
    route:      69.63.176.0/20
    ...and so on...
Whois lookup for facebook’s AS32934

Based on above network list (about 90 network ranges) I can build up an Access Control List like this:

    name 69.63.176.0 zzz-facebook.69.63.176.0-20
    ...and so on...
    object-group network grp-facebook-networks
      network-object object zzz-facebook.69.63.176.0-20
      ...and so on...
    access-list inside_access_in extended deny ip object [LOCAL-NETWORK]
    object-group grp-facebook-networks
Building ACL to block facebook’s IPv4 ranges

For background information see (in German):

Verbraucherzentrale: EuGH-Generalanwalt äußert sich zum Like-Button… and WBS Rechtsanwaelte: Facebook Like Button vor dem EuGH… or in english The Register: Facebook Like, social sharing buttons on your website may land you in GDPR hot water…

Share: