Firewall Filter Restriction

ansari · January 26, 2017, 10:08am

Hi, i block facebook on firewall layer7 protocol “^.+(facebook.com).*$”; but firewall block “facebook.com” from my personal domain page, even i cant send mail to abc.user@facebook.com from my webmail. please help…

normis · January 26, 2017, 12:57pm

Yes, this is why L7 rules are not meant for webpage blocking.

ansari · January 27, 2017, 5:46am

so… how can i block https?

janus20 · January 27, 2017, 10:03am

Hi,

would you be kind enough to elaborate what do you want to achieve ?

kind regards,

normis · January 27, 2017, 1:05pm

He wants to block HTTPS Facebook. I suggest blocking by DNS name.

lbachero · January 28, 2017, 10:42pm

Create a DNS name like:

/ip dns static add name=www.facebook.com address=127.0.0.1

Or to an IP with web server and block page.
It’s a solution instead of layer 7, like normis said.

Sent from my XT1225 using Tapatalk

nishadul · January 29, 2017, 3:11am

lbachero:

Create a DNS name like:
/ip dns static add name=www.facebook.com address=127.0.0.1
Or to an IP with web server and block page.
It’s a solution instead of layer 7, like normis said.

Sent from my XT1225 using Tapatalk

OK, I create DNS name, but how to block facebook.com? can I need firewall rule?, if so how to make firewall rules. pl details…

rextended · January 29, 2017, 3:37am

The only way to block facebook.com, block on BGP the prefix with AS32934…

rextended · January 29, 2017, 3:38am

No you can’t: can be used one proxy like 2.3.4.5 on brasil for access!

rextended · January 29, 2017, 3:40am

No, you can not use one proxy for HTTPS pages! Facebook is near all https

rextended · January 29, 2017, 3:40am

Ok, I’m not mad, is how usually this type of tread go…

rextended · January 29, 2017, 3:43am

If you need block facebook “for dummies” block both facebook.com and http://www.facebook.com and other variants…

But the user can still change the DNS on the machine,
also some programs change the DNS arbitrally…
you must force on the NAT the routerboard to be the DNS server,
but you go fastly under DNS DDoS or similar, you need to protect routerboard DNS form “WAN” or you connection go out of service after 5mins…

lbachero · January 29, 2017, 1:24pm

nishadul:

lbachero:
Create a DNS name like:
/ip dns static add name=www.facebook.com address=127.0.0.1
Or to an IP with web server and block page.
It’s a solution instead of layer 7, like normis said.

Sent from my XT1225 using Tapatalk
OK, I create DNS name, but how to block facebook.com? can I need firewall rule?, if so how to make firewall rules. pl details…

/ip firewall nat add chain=dst-nat protocol=udp dst-port=53 in-interface=$YOUR_LAN action=redirect to-ports=53

It will redirect all connections but, you can create a list for the users that won’t blocked acccess. Like this:

/ip firewall nat add chain=dst-nat protocol=udp dst-port=53 in-interface=$YOUR_LAN action=redirect to-ports=53 src-address-list=!no-block

And always remember:
Protect your routerboard from attacks in UDP/53 port on WAN!

rextended · January 29, 2017, 3:43pm

For protect:

/interface list
add name=internet comment="List of WAN"

/interface list member
add interface=ether1 list=internet comment="WAN 1"
add interface=ether2 list=internet comment="WAN 2"


/ip firewall filter
add action=drop chain=input dst-port=53 in-interface-list=internet protocol=tcp connection-state=new comment="TCP DNS Protection"
add action=drop chain=input dst-port=53 in-interface-list=internet protocol=udp connection-state=new comment="UDP DNS Protection"

add action=drop chain=forward dst-address-list=internal_public_IP dst-port=53 protocol=tcp in-interface-list=internet connection-state=new comment="Other Public IP protection used inside LAN"
add action=drop chain=forward dst-address-list=internal_public_IP dst-port=53 protocol=udp in-interface-list=internet connection-state=new

/ip firewall nat
add action=dst-nat chain=dstnat dst-addresses=!192.168.88.1 src-address-list=!do_not_redirect_DNS dst-address-list=!do_not_block_this_DNS dst-port=53 protocol=tcp to-addresses=192.168.88.1 to-ports=53 comment="DNS Redirect"
add action=dst-nat chain=dstnat dst-addresses=!192.168.88.1 src-address-list=!do_not_redirect_DNS dst-address-list=!do_not_block_this_DNS dst-port=53 protocol=udp to-addresses=192.168.88.1 to-ports=53


/ip firewall address-list
add address=192.175.48.1 comment=prisoner.iana.org list=do_not_block_this_DNS
add address=192.175.48.6 comment=blackhole-1.iana.org list=do_not_block_this_DNS
add address=192.175.48.42 comment=blackhole-2.iana.org list=do_not_block_this_DNS

add address=192.168.88.1 comment=Router list=do_not_redirect_DNS

sopro · April 6, 2017, 1:02am

lbachero:

Create a DNS name like:
/ip dns static add name=www.facebook.com address=127.0.0.1
Or to an IP with web server and block page.
It’s a solution instead of layer 7, like normis said.

Sent from my XT1225 using Tapatalk

Hi, I did this redirecting facebook requests to my web server 192.168.0.3 (IIS)
With IE all fine as when you write http://www.facebook.com it requests http://www.facebook.com and shows my warning webpage hosted in my webserver
but in chrome it redirects to https://www.facebook.com and there it shows an error (page cannot be displayed)
Same with http://www.youtube.com and https://www.youtube.com for instance

How can I make Routeros to always redirect to http and not https so that everytime a client asks for facebook.com from any browser it shows my warning webpage?

ik3umt · April 7, 2017, 5:13pm

using regexp instead ?

/ip dns static add regexp=.facebook.com address=127.0.0.1