Community discussions

MikroTik App
 
gtrappmann
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Fri Nov 03, 2006 7:42 am
Location: germany
Contact:

blog pornsites via firewall ?

Tue May 01, 2007 9:00 am

hi,


can i block global words like "porn" or other via firewall ?
i don´t want customers get stuff like this over hotspot ..


kind regards

gerd
 
cmacneill
Member Candidate
Member Candidate
Posts: 293
Joined: Sun Apr 01, 2007 10:51 pm
Location: Christchurch, New Zealand

Tue May 01, 2007 4:34 pm

Have a look at http://www.scrubit.com this site provides a public DNS service where malicious and porn sites are automatically blocked.

This doesn't stop someone going to a site if they know the IP address, but it makes it much more difficult to find out the IP address in the first place.

Enter these servers in your DHCP server and also add redirection rules for port 53 to ensure anyone trying to enter static DNS addresses are caught.

You can then add specific rules if there are certain individuals that want uncensored Internet access.


Regards

Chris Macneill
 
ptsip
newbie
Posts: 43
Joined: Fri Jan 20, 2006 7:17 pm

Wed May 02, 2007 5:15 pm

For me, pls do not burden a lot of address-list for porn-site, will make your M/T ROS getting slow. Using another solution like from http://www.iss.net or alike solutions(s).
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Thu May 03, 2007 3:13 pm

better do that using proxy.

also this ip list will be quite efficient
 
csickles
Forum Guru
Forum Guru
Posts: 1255
Joined: Fri May 28, 2004 8:46 pm
Location: Phoenix, AZ
Contact:

Thu May 03, 2007 7:56 pm

ScrubIT does not work with the MT proxy for some reason (yet)..
My guess is a time out issue.. or passably a non standard return..

A "Coolness" would be the ability to look at the dst address, do a reverse lookup via ScrubIT (as well as the std forward) and if th address comes back as a blocked site, then add it to a blocked address list...

I would guess that would get us to about 85 - 90 percent of the CRA9 out of the net..

Craig
 
User avatar
maroon
Member Candidate
Member Candidate
Posts: 230
Joined: Thu Oct 07, 2004 11:15 am
Location: Lebanon
Contact:

Fri May 04, 2007 5:37 pm

[quote]redirection rules for port 53[/code]

what if I have like 1000 clients and their PC's r configured static IP,GW and DNS.

how to redirect their DNS settings to a specific DNS SErver (SCRUB IT) or any other DNS Server (Cache only DNS Server). hope you got my point?

another problem that the built-in cache dns on mikrotik is filled up after few hours of flushing the cache. So I need a rule to forward/redirect any DNS request to a seperate cache only server (BIND or DNSMASQ).

which one do you prefer DNSMASQ as a cache only server for DNS requests or BIND9 ?

your help is highly appreciated
 
skynoc
Member Candidate
Member Candidate
Posts: 140
Joined: Wed Jul 07, 2004 10:20 pm
Contact:

Wed May 16, 2007 8:40 am

hi gtrappmann
i did block the known words like sex,porn,lesbian etc but this can affect for many other things so i decided to block sites , now i have a list of 600 blocked sites and spywares if you are interested give me your email to send it to you

sorry for the bad words

regards
 
Ghassan
Member Candidate
Member Candidate
Posts: 213
Joined: Mon May 29, 2006 11:08 pm
Location: Lebanon
Contact:

Fri May 18, 2007 2:08 am

First You can not block porn sites using many words because we had many suffers from using these rules but the best idea is to make blocked-list for ips or for domains and sub domains using web-proxy but what if we have many rules for about more than 3000 rules then we are out of memory / cpu ... so the best solution that i can get is to try Scrubit .

Also we had to force users to use our dns servers andmake sure that users are not putting new proxies outside ...

Finally I agree with csickles's answer .



Ghassan
Last edited by Ghassan on Fri May 18, 2007 2:19 am, edited 1 time in total.
 
Ghassan
Member Candidate
Member Candidate
Posts: 213
Joined: Mon May 29, 2006 11:08 pm
Location: Lebanon
Contact:

Fri May 18, 2007 2:18 am

Dnsmasq is especially suited for small networks that share a single Internet connection, behind a NAT firewall.

You probably wouldn't want to use it to power an ISP, but then this article isn't aimed at gigantic mondo users with complex needs anyway: Think branch office.

for BIND, the only reason i know why to use bind atm is because i know it can handle its own names, (eg: ns1.mydomain, mail.mydomain, www etc)

I also know that DNSmasq handles DHCP aswell, but it wont do the above names..

We found a better solution for MT DNS but I preffer to use ScrubIt :wink:


Ghassan
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Fri May 18, 2007 10:12 am

Mikrotik RouterOS transparent web-proxy without caching.

Only thing thats necessary is to create an access-list and drop all sites with typical words in them - you will need to addjust the list for some time, but it works like a charm
 
Ghassan
Member Candidate
Member Candidate
Posts: 213
Joined: Mon May 29, 2006 11:08 pm
Location: Lebanon
Contact:

Fri May 18, 2007 11:32 am

Mikrotik RouterOS transparent web-proxy without caching.

Only thing thats necessary is to create an access-list and drop all sites with typical words in them - you will need to addjust the list for some time, but it works like a charm


do you mean that if we create access-list at web-proxy .. or from address-lists ??
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Fri May 18, 2007 1:42 pm

Mikrotik RouterOS transparent web-proxy without caching.

Only thing thats necessary is to create an access-list and drop all sites with typical words in them - you will need to addjust the list for some time, but it works like a charm


do you mean that if we create access-list at web-proxy .. or from address-lists ??
Access-list at werproxy

Just create rule to drop any address with xxx in ir (path= *xxx*) and then even google search for xxx will not work
 
Ghassan
Member Candidate
Member Candidate
Posts: 213
Joined: Mon May 29, 2006 11:08 pm
Location: Lebanon
Contact:

Fri May 18, 2007 1:53 pm

Access-list at werproxy

Just create rule to drop any address with xxx in ir (path= *xxx*) and then even google search for xxx will not work
We already had this before and it was not success because we had many complains about blocking many sites that have some unwanted words .

But I have for now about more than 3000 websites that are blocked at WebProxy Access but it is really increasing my CPU usage and it is not a problem for us .. the real thing is Webproxy will read all rules so it will decrease our MT performance so there might be a better idea .
 
skynoc
Member Candidate
Member Candidate
Posts: 140
Joined: Wed Jul 07, 2004 10:20 pm
Contact:

Fri May 18, 2007 4:47 pm

send me the list
 
darvader
just joined
Posts: 2
Joined: Mon Jun 04, 2007 1:22 pm

Re: blog pornsites via firewall ?

Mon Jun 04, 2007 2:22 pm

please ghassan send me the list
 
Ghassan
Member Candidate
Member Candidate
Posts: 213
Joined: Mon May 29, 2006 11:08 pm
Location: Lebanon
Contact:

Re: blog pornsites via firewall ?

Mon Jun 04, 2007 4:22 pm

I will give you all my results .

First I tried to add more than 8000 websites ( porn - ie.ads - spam - spywares ) at web-prroxy access list . we blocked about 8000 harmfull sites without any complains from our customers but the problem is CPU Usage with unstable percentage starting from 20 % up to 80 % ..

The next week I started to change my idea to get the best results by removing them from Web-Proxy and then adding a new rule which block the dst addresses list ( Content Filter ) then redirect it to our main Webserver that shows our customers The URL he istrying to access has been considered as unsafe or containing unappropriate content by Content Filtering System.

Finally our cpu usage get better and is stable again .

Ghassan.
 
o_hawchar86
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Sun Nov 26, 2006 8:59 am

Re: blog pornsites via firewall ?

Sun Nov 11, 2007 11:51 pm

Ghassan Can u send me the list plz
Thanks Salaf.
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: blog pornsites via firewall ?

Mon Nov 12, 2007 2:51 am

It may be easier idea to make HotSpot users DNS redirect to OpenDNS, where they have "adult filter" which claims to block over 4M domains:

http://www.opendns.com/features/adult/
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: blog pornsites via firewall ?

Mon Nov 12, 2007 3:56 am

I second the comment above, opendns works fine and is easy to implement
 
User avatar
jorj
Member
Member
Posts: 397
Joined: Mon Mar 12, 2007 4:34 pm
Location: /dev/null

Re: blog pornsites via firewall ?

Mon Nov 12, 2007 3:47 pm

You can get a long list of domains wich you can block trough firewall, but it won't be effective.
I imported on x86 with 128 ram about 400.000 sites, and the firewall just won't pass any traffic trough it.
Tried with proxy, and names to block, but also very hard work to do for the hardware......

If you care so much, do make yourself a dns server, put everything that goes up from your network to ask it for dns resolution ( even by redirecting customers trough it) and put bogon ip's (you could put 127.0.0.1 for example) for a list that you can find on the net, and complete yourself with "new" items.
You might, just _might_ do better this way. In terms of speed, for shure you would be best this way. The DNS machine would be secure and happy if it would not be doing anything else.

( Of course, some % of your users, just won't be happy till they get their porn..... :) )
 
User avatar
t3rm
Member Candidate
Member Candidate
Posts: 143
Joined: Sat Aug 04, 2007 1:57 pm
Location: Bandung - WJ - Indonesia

Re: blog pornsites via firewall ?

Tue Nov 13, 2007 6:52 am

Check the firewall option name 'content'
you could use it to match every packets passing your mikrotik with the porn words you need to block.

Or use layer-7-filtering

8)

Who is online

Users browsing this forum: Amazon [Bot], bertus, kiloon, rarriazu and 90 guests