osx - Why can't I block Facebook using /etc/hosts on Mountain Lion?

07
2014-07
  • seanieb

    It worked for a while in the old configuration, but then stopped working for some reason.

    Here is my /etc/hosts file from my Mountain Lion MacBook Air:

    127.0.0.1 reddit.com www.reddit.com
127.0.0.1 facebook.com www.facebook.com
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1       localhost
255.255.255.255 broadcasthost
::1             localhost
fe80::1%lo0     localhost

    This blocks Reddit,but not Facebook.

    I've tried flushing the DNS cache for the machine ("sudo killall -HUP mDNSResponder"), the bowsers (FF and Chrome) and I've tried restarting the computer.

    And I've moved the entries to the top of the file on the advice of this article, but it didn't work before when it was at the bottom either. Each time it would block Reddit but not Facebook.

    • Answers
  • Jesse Endahl

    harrymc is close but for some reason OS X (as of 10.8.2) doesn't respect the IPv6 loopback address of ::1 (probably a bug), so you have to use fe80::1%lo0. The reason you need to block IPv6 is because Facebook will serve you their site over V6 if your ISP supports it. You can easily verify this by installing a browser plugin that displays an icon when a site is being served via IPv6. The reason this wasn't a problem for you before is because Facebook likely only recently started serving their site over IPv6.

    So the correct answer is:

    # Block Facebook IPv4
127.0.0.1   www.facebook.com
127.0.0.1   facebook.com
127.0.0.1   login.facebook.com
127.0.0.1   www.login.facebook.com
127.0.0.1   fbcdn.net
127.0.0.1   www.fbcdn.net
127.0.0.1   fbcdn.com
127.0.0.1   www.fbcdn.com
127.0.0.1   static.ak.fbcdn.net
127.0.0.1   static.ak.connect.facebook.com
127.0.0.1   connect.facebook.net
127.0.0.1   www.connect.facebook.net
127.0.0.1   apps.facebook.com

# Block Facebook IPv6
fe80::1%lo0 facebook.com
fe80::1%lo0 login.facebook.com
fe80::1%lo0 www.login.facebook.com
fe80::1%lo0 fbcdn.net
fe80::1%lo0 www.fbcdn.net
fe80::1%lo0 fbcdn.com
fe80::1%lo0 www.fbcdn.com
fe80::1%lo0 static.ak.fbcdn.net
fe80::1%lo0 static.ak.connect.facebook.com
fe80::1%lo0 connect.facebook.net
fe80::1%lo0 www.connect.facebook.net
fe80::1%lo0 apps.facebook.com
  • John Siu

    Try adding following line in /etc/resolv.conf

    lookup file, bind

    This should force OS X to use /etc/hosts before dns. The only problem is if you use dhcp, this file will be overwrote each reboot.

  • harrymc

    Try this :

    # Block Facebook IPv4
127.0.0.1   www.facebook.com
127.0.0.1   facebook.com
127.0.0.1   login.facebook.com
127.0.0.1   www.login.facebook.com
127.0.0.1   fbcdn.net
127.0.0.1   www.fbcdn.net
127.0.0.1   fbcdn.com
127.0.0.1   www.fbcdn.com
127.0.0.1   static.ak.fbcdn.net
127.0.0.1   static.ak.connect.facebook.com
127.0.0.1   connect.facebook.net
127.0.0.1   www.connect.facebook.net
127.0.0.1   apps.facebook.com
# Block Facebook IPv6
::1 www.facebook.com
::1 facebook.com
::1 login.facebook.com
::1 www.login.facebook.com
::1 fbcdn.net
::1 www.fbcdn.net
::1 fbcdn.com
::1 www.fbcdn.com
::1 static.ak.fbcdn.net
::1 static.ak.connect.facebook.com
::1 connect.facebook.net
::1 www.connect.facebook.net
::1 apps.facebook.com

    If this doesn't work see the article Block Facebook which also suggests :

    • Blocking Facebook on the Router
    • Block Facebook with an OpenDNS custom block list

    If this still doesn't work, you could try the application SelfControl.

  • Karan Raj Baruah

    Try adding these

    127.0.0.1 www.facebook.com

    127.0.0.1 facebook.com 127.0.0.1 static.ak.fbcdn.net

    127.0.0.1 www.static.ak.fbcdn.net

    127.0.0.1 login.facebook.com

    127.0.0.1 www.login.facebook.com

    127.0.0.1 fbcdn.net

    127.0.0.1 www.fbcdn.net

    127.0.0.1 fbcdn.com

    127.0.0.1 www.fbcdn.com

    127.0.0.1 static.ak.connect.facebook.com

    127.0.0.1 www.static.ak.connect.facebook.com

    Then it should get blocked.


    • Related Question

    osx - What is the relevance of "fe80::1%lo0 localhost" in /etc/hosts?
  • Questioner

    Following are the entries in my /etc/hosts.

    I was wondering what is the last entry (fe80::1%lo0 localhost) for.

    127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost

    • Related Answers
  • eater

    It's an IPv6 address. The fe80:: block is reserved for link-local addresses. Link local addresses are used for packets sent only to directly connected devices (not routed). The network discovery protocol (NDP) is the biggest user of link-local addresses (NDP sorta replaces ARP and DHCP in IPv6).

    Each of your interfaces will have a different link-local address starting with fe80:: and (typically) ending with a modified version the interface's MAC address (EUI-64 format) to ensure you have a unique address on your segment. In the case of your loopback interface, there isn't anything else connected to it, so it can use the address of fe80::1 without fear of conflict, which is why fe80::1 is typically used as the "localhost" address--the IPv6 equivalent of 127.0.0.1.

  • miku 
     fe80::.....        a link local address

    Link-local IPv6 addresses, indicated by the fe80: prefix, are only valid on the immediate network link to which that host interface is connected.

  • Cecil Ward

    Excellent answer above from eater. Ipv6 link-local addresses, as said above, of the form fe80:* in fact fe80::/10 meaning the top ten bits only are matched against fe8*:* so the range is fe80::0 .. febf:*. Check my arithmetic.

    These addresses are the equivalent of 169.254.*.* addresses in ipv4, although the ipv4 counterparts are much much less well used.

    It is very common to have several addresses in ipv6 but only one in ipv4. Having both an fe80:: adress and a globally meaningful routeable ipv6 address (such as 2001:* for example) is the rule not the exception. Unfortunately applications and operating systems don't tend to do the same in ipv4, that is, interfaces tend not to have several ipv4 addresses, and I haven't seen the case where an interface has say a 169.254.*.* address and another type of address simultaneously.

    Simultaneously using the two types in ipv4 would prevent a lot of pain and suffering when for example kit powers up in the wrong order, pcs power up before routers or servers and the pcs assign themselves a 169.254.*.* address and stick with only that rather than adding a second globally meaningful, routeable address when they later find out from their router or server where they are supposed to be on the internet.