block internet traffic except for two domains

Vtony27 · January 7, 2025, 10:02am

Hi everyone,

I’m trying to block internet access except for two domains, I managed to block the traffic but I can’t unblock it for the two domains. I applied this configuration:

IP > Firewall > Filter Rules

(rule position 1)
Chain: forward
Protocol: tcp
Dst. Ports: 80, 443
Action: drop

(adjust position 0)
Chain: forward
Dst. Address: AuthorizedList
Action: accept

IP > Firewall > AddressList
List: AuthorizedList
Address: diretta.it

The problem that doesn’t unlock the domain is I don’t see packet exchange on rule 0.
If I delete Dst. Address and enter the entry direct.it in “content”. Instead I browse all the sites except direct.it

Where am I wrong?
Thank you

erlinden · January 7, 2025, 10:12am

Can you give this a try:

/ip firewall raw
add action=drop chain=prerouting disabled=yes dst-port=80 protocol=tcp tls-host=!*diretta*
add action=drop chain=prerouting disabled=yes dst-port=443 protocol=tcp tls-host=!*diretta*

CGGXANNX · January 7, 2025, 11:13am

Your AuthorizedList needs to at least include static.flashscore.com because most of the resources come from there. And probably content.livesportmedia.eu too. And your two rules should be below the

action=accept chain=forward connection-state=established,related,untracked

rule, if possible.

Can you give this a try:

/ip firewall raw
add action=drop chain=prerouting disabled=yes dst-port=80 protocol=tcp tls-host=!*diretta*
add action=drop chain=prerouting disabled=yes dst-port=443 protocol=tcp tls-host=!*diretta*

I don't think this will work. Because the tls-host is only present in the first few packets of the connection, and there is no connection tracking in RAW.