Hi,
i’m trying to allow access only for Facebook for my users.
but i failed.
all i did is to mark Facebook connection and i succeeded. then i allowed this connection then i put a rule to drop others
can you help me?
any idea?
i tried to block facebook and allow all
but the hard thing is to allow facebook and block all
you are right, that is quite hard to do. maybe even impossible.
i’m intending to apply this configuration to allow users to browsers FB whatsapp.
cause i will use a 3G Modem with the Router.
i can’t afford them to download torrent or browse videos
i just want to give them social media browsing
Then allow internet access only to port 80 and 443 and drop the rest to limit p2p usage.
You can also limit your users by download size to save bandwidth.
i’m wondering what sindy recommends about that.
My first thought would be to find the right method for blocking Facebook and do the opposite. So obviously not all are suitable for this, but the one that uses their network addresses (AS63293, AS54115, AS32934) looks like it could work.
It’s not exactly what was requested (by domain), but it sort of works. If I allow access to these addresses and block the rest, www.facebook.com loads while other sites don’t. Unfortunately, they don’t use only these addresses. Right on the first page I have missing images from scontent.fprg2-1.fna.fbcdn.net, which I guess is some local cache, and the IP address belongs to different subject. I don’t have an account to check what’s missing inside, but I’m almost sure there will be something too. Plus if one of the goals is to block videos, they do have them too, don’t they?
Other way, which would really be by domain, would be some transparent TCP proxy that would understand TLS handshakes and since requested hostname is sent readable for SNI (at least for now, but plans to encrypt it already exist), it could allow connections to selected domains and block the rest. I don’t know if such proxy exists, probably yes, but it’s not in RouterOS. Downside is that you’d have to find all domains that Facebook needs to work (maybe there’s not a lot of them and it could be easy, but I have no idea). But there would still be a risk that some domains may be shared for stuff that you want to allow and other that you don’t.
Silly question but did you allowed dns traffic as well?
THAT is the big problem!
A webpage is not a single file that is downloaded from the server pointed by the domain name you enter.
It is not like your device makes a connection to facebook.com and then receives some big file containing an image of what you see there.
Instead, a webpage consists of many different elements (HTML text, stylesheets, scripts, images etc) and only the topmost file comes from the server you visit, all the others can (AND DO) come from different servers, often even things like “Content Delivery Networks” (cdn, as you see in the fbcdn in the name above) that not necessarily are from the same company that serves you the website.
This makes it “very difficult” (or maybe “impossible”) to do what the topic starter wants, as I already wrote.
Blocking is similarly difficult, but there you have more chance because you can block a single very important item (like the toplevel HTML file) that makes the entire page unusable, and the user thinks the site is blocked and goes off doing something else. Hopefully.
(but a technically more advanced user will know tricks to fetch the site through other intermediates, like proxies or VPN, to work around that)
If the question was about any other random website, I’d probably jump to “impossible” right away, because typical website now loads various libraries and frameworks from ten different sources (I very much dislike this approach, but that’s another story). I just thought that maybe such big company as FB with tons of own networks could be hosting all own stuff there. So it would still break all external stuff possibly linked by users, but at least it could work well enough to be usable.
I came too late to write anything relevant that @Sob and @pe1chl haven’t already written.
If I had to address the same issue, I’d follow @inteq’s recommendation to limit bandwith. Limiting download size is tricky because you can actually only limit the amount of data transferred within a single TCP (or maybe even QUIC) session, but well-written applications reuse each TCP session for several transfers to avoid ephemeral port exhaustion which is caused by the 2’30" guard time after closing a session before the same socket can be used for a new TCP session to the same destination, and the browsers often annoy the user if they get an unexpected TCP reset.