how to block facebook?

Look into opendns 🙂

10.5 should honor entries in the /etc/hosts file if properly formed. you may need to issue a dscacheutil -flushcache to flush the cache before it will work on the client, however.

another option is to redirect it using a proxy or even just simple dns on the lan.

You would have all your clients go to the server for DNS and then in the DNS service have a pass through so when its not in the internal DNS system it gets passed to opendns

I'd suggest a proxy server, too.

It would have the benefit of caching content to improve performance for content that multiple users are accessing, as well as giving you control over which sites can and can not be accessed.

It would require third-party software, though, since there's nothing built-in that will do this, and you'll need to edit each client system to tell them to use the proxy server, but that should do the trick.

Look at something like Squid for one option.

Remember that [NAT firewall router|http://discussions.apple.com/message.jspa?messageID=8794637#8794637] I've suggested for those other issues you've been working on? That typical mid-grade firewall plugs this particular requirement, too, as various of these devices have content filtering, either by web domain name or by IP address.

Analogous to the proxy server in terms of the network position, these firewall devices use their position on the edge of the local LAN to control inbound and (for cases such as this) outbound traffic.

These widgets located out on the network border do often implify network administration, in my experience.

But using the IT staff to solve a HR problem could bite you in the rear..
We tried to do this at a Advertising Agency I worked at and had a mass revolt, and it was my *** on the line, even though the President and HR person told me to do this..

<Edited by Moderator>

I am not sure how it could hurt you. IT is very imortant to having people do work rather then do FB for 7 hours a day. You need to make sure HR or someone high signs off on what your doing and blocking. IMO work is for work and home is for home, especially when people have deadlines with slow to no internet do to web 2.0 and especially youtube.

Does Mac OS X Server have NAT and firewall and web proxy capabilities? IP Routing? Yes.

Mac OS X Server makes a capable network appliance.

But are you positioning, wiring and operating and setting up the routing for the Mac OS X Server box here as if it were an appliance?

Or are you operating it as a general-purpose system with user-level activities and related tasks?

These two uses tend to be in relative opposition.

Appliances providing NAT and firewall are typically configured and placed on an IP network differently than a general-purpose computer. This due to how IP routing works and particularly with multiple NICs on one host, and how these services process arriving (or departing) IP traffic.

As for appliances, an Airport Extreme can make a more economical firewall/NAT box for instance, and there are other options. And I prefer to keep the users (including myself in that) off of my firewalls.

The web proxy server is used in conjunction with the firewall, too. The firewall is configured to accept traffic headed to port 80 only from the web proxy server.

I'd dearly love to be able to afford a rack of Xserve boxes providing NAT and firewall and everything else that they're good at. But I still would not mix general-purpose usage and appliance usage on the same box, or within the same guest inside a virtual machine instance. And I'd still look to use dedicated appliances, as an Airport Extreme or a Time Capsule can be more economical than an Xserve at various of these tasks.

And it would be a whole lot easier to get rid of NAT entirely here, if you can get a subnet somewhere in the organization's 10.0.0.0/8 net, or enough addresses in the local subnet within the 10.0.0.0/8 block. I won't suggest going to IPv6, unless the local organization is already headed there...

Things just get hairy when you have everything all running on one box.

Are your users managed by the OS X server? If so, you can set their network preferences to point to a proxy of some kind. In the same network preferences you can set certain domains i.e "facebook.com" so that they bypass the proxy.

If you use something like Squidman:

http://homepage.mac.com/adg/SquidMan/index.html

And install it on a server somewhere, you can use this as the proxy. Though presumably you must be going through some kind of proxy already? Even if it's unfiltered.