How to block websites?

BluebeardLV · September 14, 2019, 8:50pm

I looked thro google for tutorials how to block websites and found 2 ways on Firewall Filter Rules:

using Layer 7 Protocols where you add website like this ^.+(facebook.com).*$
adding TLS Host like this *.facebook.com
None of these methods work, can someone please help me identify problem?

martinclaro · September 15, 2019, 3:11am

Could you post the output of the following command so we can figure out what is not working on your setup?

/ip firewall export

BluebeardLV · September 15, 2019, 5:49am

There you go.
Only I replaced facebook.com with draugiem.lv

/ip firewall export
# sep/15/2019 08:52:33 by RouterOS 6.45.6
# software id = BGH5-G73M
#
# model = RBD52G-5HacD2HnD
# serial number = B4A00AE025EA
/ip firewall layer7-protocol
add comment="Block Bit Torrent" name=layer7-bittorrent-exp regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get \
    /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add name=blocked regexp="^.+(draugiem.lv).*\$"
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
/ip firewall filter
add action=accept chain=input comment="Accept ICMP (ping)" protocol=icmp
add action=accept chain=input comment="Accept established, related" connection-state=established,related
add action=accept chain=input comment="Allow everything from Main Router" src-address=192.168.40.0/24
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" src-address-type=!unicast
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" dst-address-type=!local
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="drop ftp brute forcers" disabled=yes dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input comment="SSH Stage 3" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input comment="SSH Stage 2" connection-state=\
    new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment="SSH Stage 1" connection-state=\
    new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment="SSH Stage 1" connection-state=\
    new dst-port=22 protocol=tcp
add action=accept chain=output comment="Burst 9" content="530 Login incorrect" disabled=yes dst-limit=1/1m,9,dst-address/1m protocol=\
    tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output comment="FTP brute" content=\
    "530 Login incorrect" disabled=yes protocol=tcp
add action=accept chain=forward comment="Allow established, related connections" connection-state=established,related
add action=accept chain=forward comment="Accept ICMP (ping)" protocol=icmp
add action=accept chain=forward comment="Allow everything from Main Router" src-address=192.168.40.0/24
add action=accept chain=forward comment="Allow connect to outside internet" in-interface=bridge
add action=drop chain=forward comment="Block website TLS Host" dst-port=80,443 protocol=tcp tls-host=*draugiem.lv
add action=drop chain=forward comment="Block website Layer 7" layer7-protocol=blocked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=\
    ether1 src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" \
    dst-address-list=NotPublic in-interface=bridge
add action=drop chain=forward comment="drop all from WAN not DSTNATed " connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1
/ip firewall nat
add action=masquerade chain=srcnat

martinclaro · September 15, 2019, 10:52am

You have to move the tls-host and layer-7 rules before accepting related/established connections.

BluebeardLV · September 15, 2019, 11:09am

Indeed, someone saves the day, thanks.

zsgodor · November 10, 2019, 4:23pm

Hi,
I try many filter rules, but i can't block any website, can you help me, what do i wrong?
This is my firewall rules.: I want block facebook, and youtube, and porn site.

nov/10/2019 17:17:26 by RouterOS 6.45.7

software id = SHCP-ZT2V

model = 2011L

serial number = 3D6D02428491

/ip firewall filter
*add action=drop chain=forward dst-port=80,443 protocol=tcp tls-host=
facebook.com
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=accept chain=input comment=WINBOX dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=
invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface="ether1 DIGI NET"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=
out,none out-interface-list=all
add action=dst-nat chain=dstnat dst-port=8096 protocol=tcp src-port=""
to-addresses=192.168.88.42 to-ports=8096
add action=dst-nat chain=dstnat dst-port=55266 protocol=tcp src-port=""
to-addresses=192.168.88.42 to-ports=55266