[jethro_tell]

Because most people don't block outbound and certainly not in a stateful way which means it's a poor place or a blacklist. To get this to work outbound, you need to allow all other traffic out (fine that's probably what you are doing already) or have a curated whitelist of other traffic allowed out. I assume this package doesn't want to make that assumption so the safe thing to do is to make an inbound blacklist.

[hueving]

That doesn't make any sense. You can block outbound just fine by having your block rules followed by a default allow. You don't need anything to be stateful when you are blocking whole IP addresses.

[jethro_tell]

So this has to assume that it's not a whitelisting setup and put a default allow. Which if you do outbound whitelisting, kinda fucks things up.

[AnthonyMouse]

Nothing prevents you from having explicit deny rules followed by explicit allow rules followed by default deny.

And if you're already doing outbound whitelisting (which is generally much more trouble than it's worth) then unless you put Facebook on the whitelist you don't need to do anything anyway.