Block facebook

bledar · September 23, 2008, 12:05pm

Hello!

Did anyone have block facebook.com from firewall rules?
Or maybe in another way except proxy.

Thnx.

normis · September 23, 2008, 12:10pm

simplest way - find out all IPs of Facebook servers, and drop access to them.

bledar · September 23, 2008, 2:39pm

It use many IPs.
Exist any tools or web address that find all ip addresses for each DNS?

THNX

thadem · September 23, 2008, 4:08pm

i just see two a-records for facebook.com:

69.63.176.140 and 69.63.178.11

but maybe they use something like geo-bgp or some*cast-technology.

edward08 · October 1, 2008, 8:20pm

Install a web-proxy server and filter by URL policy, or even by content, depending on the software you decided to install, I think it’s the best way to achieve a complete and detailed administration and web logging,

good luck!

Edward

sarpkaya · October 27, 2008, 9:45pm

you can block it by using ur own dns server.

pastranini · October 27, 2008, 11:43pm

Add a rule, in firlter forward, in content facebook its a easyway
i resolve that problem with this rule.

janisk · October 28, 2008, 10:10am

less cpu stress would be if you set up proxy and using access list there just disallow certain web pages.

chrone · May 12, 2009, 4:57am

i really would like to have mikrotik with blocking url feature without the need to enable web-proxy. it’s just like firefox addon procon latte.

m4rk0 · July 1, 2009, 1:51pm

Just drop or reject in firewall dst-address=69.63.0.0/16

chrone · July 1, 2009, 3:14pm

thanks, i did it couple month ago using ip addresses collected from ns records from robtex.com, the site really helped me out.

albertdal · July 3, 2009, 6:19am

how about if i want to use time based, ex: i want user cannot login from 9.00-18.00 ?

normis · July 3, 2009, 6:22am

you can make a script that disables these rules, and use the “system scheduler” to run this script at certain times. you will need another script that enables these rules again

albertdal · July 3, 2009, 7:04am

can you help me for the example ? and i want only a few ip address can access for unlimited and the rest is block by time

thank’s
albert

chrone · July 3, 2009, 8:45am

type on the terminal: /ip firewall filter add chain=forward action=drop dst-address=a.b.c.d/xy

go to the ip firewall filter, double click the rule you just made, then go to menu extra > time.

normis · July 3, 2009, 8:50am

also a good alternative but if you want to divide people into facebook and no-facebook groups, you will need to use address lists.

chrone · July 3, 2009, 8:56am

make a rule to filter the address you want to set unrestricted access to the internet:

/ip firewall filter add chain=forward src-address=a.b.c.d/xy action=add-src-to-address-list address-list=unrestricted

make the rules to block facebook.com:

/ip firewall filter add chain=forward dst-address=69.63.176.0/20 src-address-list=!unrestricted action=drop
/ip firewall filter add chain=forward dst-address=69.63.184.0/21 src-address-list=!unrestricted action=drop
/ip firewall filter add chain=forward dst-address=204.15.20.0/22 src-address-list=!unrestricted action=drop
/ip firewall filter add chain=forward dst-address=204.74.66.0/24 src-address-list=!unrestricted action=drop
/ip firewall filter add chain=forward dst-address=204.15.20.0/22 src-address-list=!unrestricted action=drop

the ns records of facebook.com i got from robtex.com. hope this helps.

albertdal · July 3, 2009, 2:35pm

but the address can access unlimited is cannot put on a.b.c.d/x, i explain:
rule 1: only address 10.0.0.5/10/19/27 can access unlimited
rule 2: rest of the address cannot access facebook from 0800-1800

problem 1: i don’t understand how to make in address list with random ip because i already try and it’s not working
problem 2: if user access facebook from 0750 he/she still can access facebook for the rest of the day until he/she is logout

i already blocking using ip address for facebook with scheduler script and i got a lot of it but it’s not working also

now i just doing this in ip/fire/filter rul
13 ;;; drop facebook
chain=input action=drop protocol=tcp src-address-list=disallow facebook
content=facebook time=9h-18h,mon,tue,wed,thu,fri

thank’s a lot for helping
albert

chrone · July 3, 2009, 2:49pm

albertdal:

but the address can access unlimited is cannot put on a.b.c.d/x, i explain:
rule 1: only address 10.0.0.5/10/19/27 can access unlimited
rule 2: rest of the address cannot access facebook from 0800-1800

problem 1: i don’t understand how to make in address list with random ip because i already try and it’s not working
problem 2: if user access facebook from 0750 he/she still can access facebook for the rest of the day until he/she is logout

i already blocking using ip address for facebook with scheduler script and i got a lot of it but it’s not working also

now i just doing this in ip/fire/filter rul
13 ;;; drop facebook
chain=input action=drop protocol=tcp src-address-list=disallow facebook
content=facebook time=9h-18h,mon,tue,wed,thu,fri

thank’s a lot for helping
albert

the configuration i use in my office works well. they won’t be able to do something regarding facebook by the time it was turned on from the extra - time submenu. they could not post their status and so on. the link to outside of facebook could be accessed though within facebook if they’re logged in before the time activated, since facebook connects to several other server its applications used, ie: pethouse game.

your configuration somehow blocks whenever a “facebook” shows up. try to search for facebook in google.com and you’ll notice that the google results where blocked by mikrotik due to “content=facebook” on your filter rule. i’ve walked the same path as you before i found all the name servers that facebook used.

i’m sorry i don’t get your point with the random ip address. did all of them both for the limited and unlimited use dhcp so each time they connect they get dynamic ip address and some of this dynamic ip address should be listed on the unlimited list?

albertdal · July 3, 2009, 2:54pm

no, all ip is static and only certain ip can access for the unlimited time and rest of the ip is block from 0800-1800.