There is a more elegant solution -- and it almost, but not quite, works...

...unfortunately, to make it work, the abomination called Aegis must be purged from the system.

In short: Netfilter (a ring 0 firewall so feature-rich, flexible, and efficient that even Cisco started using it for its ASA-55x0 firewall/vpn/security devices) is
-installed
-active
-amenable to rule additions.

Unfortunately it doesn't look like it can be used. Apparently it has been "handicapped" (crippled) so that one of its most basic targets: REJECT doesn't work -- cannot work, because the underlying kernel module was renamed and therefore isn't found when needed.

It is not a kernel object, so cannot be loaded directly/manually. hard linking and soft linking don't work either (either because of aegis or losing kernel parameters). DROP apparently still works; but the solution really needs that icmp unreachable so the connection is closed immediately, rather than timing out.

Of course, without aegis it would be quite trivial to fix the broken package and make it work. And as its built for efficiency, it us a much more sensible solution than AdBlock -- a) because it works for all browsers and b) because it probably consumes an order of magnitude fewer resources (if not less), especially since its already active.