Hi
i need block facebook and youtube from mobile android and iphone
i did block it from Pc and labtob but by mobile app still any one can access to facebook and youtube
Hi,
so tell us how did you do that on your PC and laptop ?
probably people are just typing facebook.com which defaults to an http request first, which of course the service redirects, but since the initial request is http, the PC is getting “blocked” (if the users use a bookmark or have the homepage set to be facebook, I bet it doesn’t get blocked).
The app is probably using SSL by default.
In a word - your only option is to use a DNS-based method to block these services (e.g. OpenDNS) because SSL is not possible to intercept with Layer7 rules.
If it’s just a few domains you’d wish to block, you can add static entries for the domain in IP > DNS > Static and resolve the host names to 127.0.0.1.
You can go a step further and redirect outbound DNS packets to your LAN interface to prevent clever users from specifying their own DNS servers on their computers.
maybe using mikrotik dns server, create static dns entry for all facebook dns names
i have tested 13k static entry’s on dns and 7000 on adress-list on a rb951g and works ok
the problem is to obtain facebook hosts dns names
using mikrotik as dns server is not enough, many services have hard coded dns servers. Google chrome for example will use google dns regardless of your settings so your only option is to hijack DNS requests. Many ISPs do this as a way to block websites as it is very cheap in resource and admin.
I would not suggest blocking youtube or facebook completely. Many tutorials and video lessons are available on youtube. There are plenty of math tutorials on youtube for example and many other useful and beneficial things. Many use facebook for organising events so thats a positive use of facebook.
If you block these things (whether you are a workplace or school), people will use proxies and such so thats not the best way to deal with it. I would block facebook games and apps (not the phone app) but facebook is also a way for people to get in touch other than email and sms. Many useless and low quality browser games use facebook and are basically free to play but the game quality is so bad that blocking it would be a help (you would also have to block those sites too).
Mikrotik makes it so you cant install any software onto their routers, what some organisations do is just install a linux server and configure it to be a router so they can install customised filtering software which makes it easy to deal with things that reduce productivity. You can use multiple hijacking techniques and force use of a web proxy server (you can actually run squid, squidguard and clamav on a ubiquiti edgerouter which i do) but it may not work on apps. I do know that the facebook app uses web code so it is actually a web browser only pointing to facebook (it explains their high resource usage and battery draining).
If you are a parent and just wanting to stop your kids from wasting time with these things than blocking these things entirely doesnt help, rather you should just block the unhelpful facebook features and perhaps put them on the lowest priority in QoS (or put some bandwidth limitations to slow it down to encourage them to do other things).
Mikrotik offer a scripted method of blocking sites here :- http://wiki.mikrotik.com/wiki/Manual:Scripting-examples#Block_access_to_specific_websites
Catching DNS requests and redirecting them is called hijacking.
thank you for your replay
my setup firewall for block Facebook and YouTube from PC and laptop
- from L7 create Regexp ^.+(facebook.com).*$
- create Filter Rule chain: forward Src.Address=192.168.1.2/24 layer 7 protocol= facebbok Action=Drop
i need some one did block Facebook app from mobile
If App is using encryption connection you can not catch it with L7 , it’s seems you have to find all facebook IP’s !!
I used this regular expression and worked to stop youtube app on phones, tablets as well as on computer browsers.
Regular Expression to copy:
^.+(youtube.com|www.youtube.com|m.youtube.com|ytimg.com|s.ytimg.com|ytimg.l.google.com|youtube.l.google.com|i.google.com|googlevideo.com|youtu.be).*$
I have also recorded a video showing how to make the config if you like to watch it:
https://www.youtube.com/watch?v=6oAiUGAsfEY
You should start using the dns-based IP address list feature available in ROSv6.36
block www.youtube.com, youtube.com, m.youtube.com, etc.
That will block them from any sort of communication, not just http/https.
Furthermore, it will block even SSL communications.
If this is for a corporate network, you should be installing a transparent HTTPS proxy with a custom root certificate on the clients so you can inspect actual HTTP traffic and apply internet access policy there. There are many such appliances you can get for this, messing around blocking DNS and IP ranges is not a very reliable solution.
Yes, for them is a solution, for us is a problem.
lets consider we do regular HTTPS over TCP. [chrome and android uses QUIC to get data securely, which is google proprietary technology and bases on UDP]
although HTTPS as itself is not to be intercepted with layer-7 filters, you can disrupt the connection before SSL is fully negotiated.
certificate exchange takes place “in cleartext”, so you can use layer7 to match the certificate common name or serial, then do your stuff mark/drop/reject
on the matched connection. this is not as “surgical” as it would be with URL matching, as multiple sites/services can use the same cert. and if you block it,
you will block connection to all of them.
theoretically.
“L7 matcher collects the first 10 packets of a connection or the first 2KB of a connection and searches for the pattern in the collected data.”
don’t know how to interpret this, but in my case (see screenshot) the certificate is sent in packets 6,7,8,9 which would fit in there, but the 2k limit
is not enough. it this case you can match the certificate serial number and the common name.
alternatively you could match on the TLS client hello msg (packet #5), where the server name is sent as cleartext and block it.
now i am trying to put it together, but had no success so far.
It finally did the job for me!
The goal was to block youtube on my son’s iPad. After running that script it blocked youtube site (even on https) but still, the app on iPad was working fine. I changed the line:
:if (([:find $cacheName "rapidshare"] != 0) || ([:find $cacheName "youtube"] != 0)) do={
to:
:if ([:find $cacheName "ytimg"] != 0) do={
and that did the job!
If you want to block the specific device, you only have to remember to point the proper source address or source MAC.
Thank you for your help.
Unfortunately my happines didn’t last too long… The script works, but once it’s started, the CPU usage is 100%… Can anybody see and say something clever? 
:foreach i in=[/ip dns cache find] do={
:local bNew "true";
:local cacheName [/ip dns cache all get $i name] ;
# :put $cacheName;
:if ([:find $cacheName "ytimg"] != 0) do={
:local tmpAddress [/ip dns cache get $i address] ;
# :put $tmpAddress;
# if address list is empty do not check
:if ( [/ip firewall address-list find list="restricted" ] = "") do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=restricted comment=$cacheName;
} else={
:foreach j in=[/ip firewall address-list find list="restricted"] do={
:if ( [/ip firewall address-list get $j address] = $tmpAddress ) do={
:set bNew "false";
}
}
:if ( $bNew = "true" ) do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=restricted comment=$cacheName;
}
}
}
}
EDIT
I have eraseed lines started with “#” and it helped…
ZeroByte: Just wanted to thank you for pointing this out. I hadn’t realized that adress lists in 6.36 supported dns based IP. It is really going to simplify my design. Hopefully address lists will support regular expressions on a future release. FYI to the other members, adding a CNAME to the addess list seems to add dynamic entries for all associated A record IP addresses.
It doesn’t seem likely that there will ever be regex support in this feature because of how it works.
Whenever you define a hostname in an address list, the router immediately performs a DNS lookup on the name you specified, and all IP addresses returned by the DNS server are added as dynamic IP entries in the list, with timeouts set the same as the TTL returned by DNS. In other words, the IPs cannot live in the list for any longer than DNS…
Ok, so far so good, but why can’t you use regex here?
It has been best practice for at least as long as I have been in the industry (since the 90s) to deny anyone having access to read your entire zone - in other words, DNS is like that children’s card game “go fish” - clients may ask any name they like, and the DNS server will give the answer if it has one, or else say “not found” (i.e. ‘go fish’). You can’t just say “give me all of your cards.”
So you can’t say to a DNS server - give me every possible name you have that ends in google.com
So when you specify a regex, that’s essentially what you’re doing…
Another complication is that reverse DNS doesn’t necessarily match forward DNS. Since the packet filter table is dealing in packets and IP addresses (not names), it doesn’t know what name may or may not map to a certain IP address. Take the famous 8.8.8.8 public DNS server at Google… I could go into my own DNS server, and set a host name “silly.dns.server.example.com” and resolve that to 8.8.8.8 How would the firewall know that I had typed “ping silly.dns.server.example.com” to generate ICMP echo requests to 8.8.8.8?
One thing that could be done is to snoop DNS and if any DNS replies contain hostnames which match your definition, then the IP addresses contained in those DNS responses could be added to the address list… This could be worked around by clever clients though - if they know which hostnames are going to be used and a valid IP to go with them, they could just place these hostnames into their local hosts file and bypass the DNS snooping. Or they could use DNScrypt, or VPN…
In the end, blocking outgoing user activity is a never-ending battle. Like Princess Leah told Governer Tarkin: “The more you tighten your grip, the more star systems will slip through your fingers.”