Layer 7 Blocking website

homerkaro · September 12, 2012, 8:53am

Hi!
I’m trying to block some website.
For example now its facebook.
I made a new layer 7 Protocol with the following regexp: ^.(facebook).$
I add a new filter rule:
chain forward src.address 0.0.0.0/0 action: drop
It works almost perfectly. It block some other website to (that doesnt contains facebook). What could be the mistake?
But when i want to add some exception it doesn’t work:
I made a new rule:
chain forward src.address. 10.0.0.121 action: accept
But i still can’t browse facebook on that computer.

How can i make exceptions?

Is it possible, when i block a webpage like this, redirect the users to another webpage what i make?
Thanks for the answers!
Daniel

Hadeel78 · September 12, 2012, 12:47pm

Hi Daniel

you have to mark the layer7 option in the firewall-----filter------advanced------layer7

hope that will help

Regards,
Hadeel

homerkaro · September 13, 2012, 7:35am

Hi!
Thanks for the answers but i marked it.

skillful · September 13, 2012, 9:08pm

Firewall rules are hierarchical. So, make sure to place the exemption rule above the block rule.

homerkaro · September 17, 2012, 6:45am

Hi!
Here is the first 7 line of the filter config:

[admindani@VG0101ROU] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; index.hu
chain=forward action=accept src-address=0.0.0.0/0 layer7-protocol=index.hu

1 ;;; hvg.hu
chain=forward action=accept src-address=0.0.0.0/0 layer7-protocol=hvg.hu
2 ;;; startlap.hu
chain=forward action=accept src-address=0.0.0.0/0 layer7-protocol=startlap
3 ;;; hetivalasz
chain=forward action=accept src-address=0.0.0.0/0
layer7-protocol=hetivalasz
4 ;;; hir24.hu
chain=forward action=accept src-address=0.0.0.0/0 layer7-protocol=hir24
5 chain=forward action=accept src-address=10.0.0.1 layer7-protocol=facebook
6 X chain=forward action=log src-address=0.0.0.0/0 layer7-protocol=facebook
log-prefix=“”
7 ;;; Facebook tilt s
chain=forward action=drop src-address=0.0.0.0/0 layer7-protocol=facebook

As you can see filter number 7 drops the packages from all ip but filter number 5 should add 10.0.0.1 to the exceptions. But it doesn’t work.:S

homerkaro · September 17, 2012, 8:45am

I have the sollution.
I didn’t choose the protocol and the port.
After i set the protocol to tcp and the port to 80 and 443 it works perfectly.
Hope this will help others.
Thanks for the help!
Daniel

netnou · November 17, 2016, 7:52am

What if I want to block 10 000 of website ?
Is there any possible way to do that.