Nothing prevents you from having explicit deny rules followed by explicit allow rules followed by default deny.
And if you're already doing outbound whitelisting (which is generally much more trouble than it's worth) then unless you put Facebook on the whitelist you don't need to do anything anyway.
And if you're already doing outbound whitelisting (which is generally much more trouble than it's worth) then unless you put Facebook on the whitelist you don't need to do anything anyway.