Firewall rules blocking facebook

RouterOS General
1

Have firewall rules to block facebook. I have the following config

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=
10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=forward comment=“Drop Facebook 1” disabled=no
dst-address=66.220.152.16 protocol=tcp
add action=drop chain=forward comment=“Drop Facebook 2” disabled=no
dst-address=69.171.237.16 protocol=tcp
add action=drop chain=forward comment=“Drop Facebook 3” disabled=no
dst-address=69.171.234.21 protocol=tcp
add action=drop chain=forward comment=“Drop Facebook 4” disabled=no
dst-address=66.220.158.70 protocol=tcp
add action=drop chain=forward comment=“Drop Facebook 5” disabled=no
dst-address=66.220.149.88 protocol=tcp
add action=drop chain=forward comment=“Drop Facebook 6” disabled=no
dst-address=69.171.247.21 protocol=tcp
/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=192.168.2.0/24
src-address=192.168.3.0/24
add action=masquerade chain=srcnat disabled=no out-interface=1-WAN
add action=dst-nat chain=dstnat disabled=no dst-address=68.143.166.138
dst-port=80,443 protocol=tcp to-addresses=192.168.3.118
add action=dst-nat chain=dstnat disabled=no dst-address=68.143.166.138
dst-port=110,25,465 protocol=tcp to-addresses=192.168.3.116
/ip firewall service-port
set ftp disabled=no ports=21,22
set tftp disabled=yes ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=yes ports=5060,5061 sip-direct-media=yes
set pptp disabled=yes



It is no blocking Facebook. I have tried turning off the tcp, using address lists, everything i can think of.

Users are not using a proxy. I did trace routes, and they are going out the router then to the internet. The firewall rules appear don’t get hits. Sometimes it hangs up in the Browser but hitting enter again will get it through. I have every IP for Facebook in the list.

2

What makes you think that you have all the addresses of facebook? I just did a ping from my PC and it resolved as 173.252.101.16
Fact is, they do change their IP addresses randomly I guess. The best way to block it is to redirect DNS requests to the router, and then add two static routes in the DNS.

/ip firewall nat
add chain=dstnat action=redirect to-ports=53 protocol=udp dst-address-type=!local dst-port=53 
/ip dns static
add name=facebook.com address=127.0.0.1
add name=www.facebook.com address=127.0.0.1

Don’t forget to flush the cache as well.

3

You can see here all of the IPs facebook has.

http://top.robtex.com/www.facebook.com.html#records

This is what we use to block facebook for customers.

/ip firewall filter
add action=drop chain=forward comment="Block Facebook" dst-address=173.252.96.0/19
add action=drop chain=forward comment="Block Facebook" dst-address=66.220.144.0/20
add action=drop chain=forward comment="Block Facebook" dst-address=69.171.224.0/19
4

Hi all,

below is my rule to block facebook website and it work well at my network.
let’s see and give advice:

/ip firewall filter add chain=forward content=facebook action=drop

it just help me no need to specify on facebook ip address.

lets me know does it helpful

kinal

5

The “content” feature, will actually capture any webpage that contains facebook in it. You are probably going to stop a lot of other webpages which are not related to facebook but do contain facebook within.

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Properties

6

Dear Caci99,

It’s very impressive info, thanks for your advices.
so the best way to block fb is specified its IP address.

regards,
kinal

7

There are different ways to do that, as seen in this topic. I would for the DNS solution as proposed before.