No facebook. Definitely no facebook.

Why and how I don't facebook.

Facebook destroys the open web: posts are either not available for anonymous viewers and/or display obnoxious "sign up" windows. Nobody guarantees that open posts will stay open in the future. Posts can not be indexed by search engines. The Internet Archive is not allowed to archive facbook posts.

Facebook is a privacy nightmare, of orwellian dystopia-type.

Even if the attempt may seem futile, somebody has to start and make a point. Facebook deserves to got the way of CompuServe, AOL, the original MSN and other walled gardens. 

Additionally to not being on facebook, I took measures to (permanently) get rid of weekly "do you know " emails from facebook and to deactivate facebooks tracking of your usage of the web.

There are numerous possible ways to do that. I find that a combination of blackhole-routing the complete facebook AS on the border router combined with configuring the local DNS caching resolver to report facebook.com as non-existent works reasonably well.

The downside is that you don't even get to see public facebook posts, but for many reasons, those are not a very good idea in the first place. Further reading: Why I can't/won't point to Facebook blog postsFuck Facebook and Why Tim Berners-Lee is no friend of Facebook.

Blackhole-routing

The idea is to route every IP packet destined for facebook to the local loopback interface, getting rid of it. So, how do we do it? First, get the relevant AS numbers. Some google-fu gets us AS32934. ipinfo.io gets us a list of IP addresses belonging to said AS. So we either need to scrape the page by hand (should not take too long, only about 10 entries for either IPv4 or IPv6) or set up some kind of automation. For each network, we issue something like

route add 157.240.0.0/24 gw 127.0.0.1

as root. Put this into /etc/rc.local or your favourite flavour of startup-file.

DNS

So if you run your own resolving DNS cache, you will want to timeout DNS queries faster. Again, there are several methods to do it. I use DJBs tiny-dns, and configured a "dnspoison" tinydns server on 127.0.0.1, the date file containing just

root@gatekeeper:/etc/dnspoision# cat root/data
.:
root@gatekeeper:/etc/dnspoision#

In your dnscache-configuration, for each domain you want to be blocked and answered immediately with NXDOMAIN, create a file in root/servers, domainname = filename, content is IP-address of your "poison" dns server.