hi all
i’m trying to allow one website only through firewall filter rules and layer 7 protocol and this didn’t success, below is my configuration, any suggestion please?
Access to a website requires at least DNS and HTTP or HTTPS to work. If a computer cannot resolve a host name, they will not try to access the website. Secondly, facebook requires HTTPS by default now, that means all traffic between the computer and the web server is encrypted.
The layer7 protocol will not be able to match anything reliably there for your needs. It only looks at the first number of packets of a connection and sees if that text is in there. So any page that had facebook.com somewhere in the text the rule would match.
If you know the IP address of the web server you are trying to communicate to, you can allow that and block all other IP addresses. You will also need to allow DNS through as well. One other possibility would be to force users to use your DNS servers to resolve hostnames, then you can control what they can get to. It is still possible to get arround if a user knows the IP address of a website however. You can also do that on the MikroTik, but it’s a bit trickier to get it to work right.
Once again, you are using the conent feature, that works pretty much the same to layer7, it looks for text within a connection, and if it exists then it will accept it.
Blocking by IP address is going to be the most reliable way for you to go depending on what websites you want to allow/disallow. Facebook is not a good test example because of the encryption and how many IP addresses they use.
the problem that i test another websites and with static address even a not known websites and their IP addresses and i got the same issue, it can’t be reached !
Are you allowing DNS requests through? If not a browser will not even attempt to access the website since it doesn’t know what IP address a domain name points to.
can we redirect ti a url after the website is blocked with firewall rules ?
i mean redirect every blocked request to another html page inform the user that he can not access this website and if it is for work he should contact the administrator
You can redirect HTTP (port 80) to another IP address. Then the web server there needs to know to respond to every web page request with a default page that you want it to display. Relativly simple to do.
Based off of your questions, it sounds like you are trying to setup a black list or white list of sites that people can access for work. This is very cumbersum to do on a router, unless you have a very small number of sites that you want to allow. A better solution would be to get a Squid proxy setup with appropriate content filters that will take care of most of the heavy lifting for you. It would be more flexible, and closer to what you are trying to do.
Since it’s a work environment you should have control over all local PCs, so you can configure them to use the proxy to get online, and block anything that tries to get arround the proxy. If you wanted the proxy to be transparent then you would need to install a package like SSL bump to decrypt the HTTPS requests, and resign them back to the clients computer. The clients computer would also need to have the root certificate added to it’s trusted store, otherwise it will get an SSL error out of every page.
