how to block https for facebook.com

b2k · September 6, 2010, 9:00am

hi all, i want to block https://www.facebook.com,
how can i block that..?

thanks

normis · September 6, 2010, 9:01am

you must use transparent proxy, then you can block sites by host name

http://wiki.mikrotik.com/wiki/How_to_Block_Websites_%26_Stop_Downloading_Using_Proxy

b2k · September 6, 2010, 9:39am

i am already using proxy on mikrotik, i can block http://www.facebook.com, but i can not block https://www.facebook.com.
i want to block https:

need help bro..?

normis · September 6, 2010, 9:40am

proxy doesn’t work with HTTPS sites, you need to find out the IP addresses that Facebook uses and block them with the firewall.

This should be a start:

C:\Users\Normis>nslookup facebook.com

Non-authoritative answer:
Name:    facebook.com
Addresses:  69.63.189.16
          69.63.181.11
          69.63.181.12
          69.63.189.11

b2k · September 6, 2010, 9:47am

normis:

proxy doesn’t work with HTTPS sites, you need to find out the IP addresses that Facebook uses and block them with the firewall.

This should be a start:
C:\Users\Normis>nslookup facebook.com

Non-authoritative answer:
Name:    facebook.com
Addresses:  69.63.189.16
          69.63.181.11
          69.63.181.12
          69.63.189.11

so, you mean i must block the facebook ip right..?

SurferTim · September 6, 2010, 10:01am

Yes, those four ips. Block port 443 for https.

b2k · September 7, 2010, 3:02am

can you show me how to block using command line please..?

thanks

fewi · September 7, 2010, 3:54am

/ip firewall filter add chain=forward action=drop dst-address=a.b.c.d

Refer to the manual for details

b2k · September 7, 2010, 5:48am

thanks bro, i am already block my facebook

rgodoy · September 22, 2010, 7:05pm

So, it makes no sense to use the web proxy, but a firewall filter rule instead for any “facebook” browsing right? I didn’t try it, but I guess that blocking those 4 IPs is enough…

One little question about transparent proxy. I have it running, but when I check web proxy status out, “cache used” is always 0 KiB. What could be going on?

netrat · September 22, 2010, 8:24pm

You need to setup a store for the webproxy to use.

rgodoy · September 23, 2010, 12:47pm

I have rOS v. 3.30. Web-proxy1 store is already activated.

I guess news sites should not be cached, but, an institutional site with almost static contents I guess it should!

Any other suggestions? This is my config:

                 enabled: yes
             src-address: 0.0.0.0
                    port: 3128
            parent-proxy: 0.0.0.0
       parent-proxy-port: 0
     cache-administrator: "webmaster"
          max-cache-size: none
           cache-on-disk: yes
  max-client-connections: 1000
  max-server-connections: 1000
          max-fresh-time: 3d
   serialize-connections: no
       always-from-cache: no
          cache-hit-dscp: 4
             cache-drive: primary-master

inibir · May 4, 2012, 7:44pm

there any way to convert https to http on facebook

c0d3rSh3ll · May 5, 2012, 7:44pm

/ip firewall filter
add action=drop chain=forward comment="block facebook https" content=facebook disabled=no dst-port=443 protocol=tcp

block facebook https

cbrown · May 5, 2012, 7:59pm

And unfortunately every https website that might have the term facebook. This will provide many false positives.

deejaylight · October 9, 2012, 7:05am

/ip firewall filter
add action=drop chain=forward comment=“block facebook https” content=facebook disabled=no dst-port=443 protocol=tcp

I don’t know why but this solution is not working for me.

I know that https traffic is encrypted, should mikrotik decrypt this traffic and see the content facebook?
I also have tried to block facebook IP’s but now this site have a lot of servers and IP’s, it always find an other way to connect.

I was thinking about redirecting from DNS query, I mean if lan pc’s requesting facebook to froward a local IP address to them, trough DNS response.
But I’m not sure how to do that.
I will appreciate your help.
Thanks!

Sob · October 9, 2012, 12:56pm

That’s the whole point of encryption, nobody on the way can decrypt it. If it was possible, it would be useless.

If your users are using your dns server, you can add:

/ip dns static
add address=192.0.2.1 name=www.facebook.com
add address=2001:db8::1 name=www.facebook.com

If they don’t, you can force them by redirecting their dns packets (port 53) to your server (currently possible only for IPv4, the IPv6 ones you can only drop, that’s probably safe for now). Not exactly nice thing to do, but it works.

But be prepared, that just a little advanced users know about hosts file and will get around this kind of blocking quite easily.

kirshteins · October 9, 2012, 1:02pm

Simply try blocking 443/TCP to
66.220.144.0-66.220.159.255
69.63.176.0-69.63.191.255
204.15.20.0-204.15.23.255
IP addresses

saintofinternet · August 27, 2013, 5:54am

is there still no solution for the “https” facebook block from the latest version of ROS ???

alex_rhys-hurn · August 27, 2013, 10:26pm

The way we do this is to use a layer 7 regular expression to block any url with facebook in it.

First make layer 7 protocol with this as the value:

^.(facebook).$

Then make a firewall rule to drop that layer 7 protocol.

This can be very harsh and even prevent you resolving and pinging facebook as well as browsing by http and https. So think carefully about your rule.

Effectively what this regex is doing is matching any fqdn and url with facebook in it.

We often then put this rule on a script which enables facebook outside of office ours and disables facebook during office hours.

I hope that helps.