Good morning.
I’m sure people already came across this issue, although I couldn’t find anything on forums.
I have built a webfilter for the company I work in, using the Mikrotik Webproxy, and it works like a charm, except for one thing.
https://www.facebook.com
http I block it fine, however https is giving me hell. My first instinct was to drop all port 443 traffic altogether, but it created more problems than it solved, since they use a lot of legit https sites for work.
My aim for this excercise was to block websites that waste time at work, my main target being facebook, and this whole https workaround is beating the purpose for it all.
Messing with DNS is not an option, since 2 or 3 machines in the hotel actually need facebook for work promotions.
Any ideas?
Firstly,
You can block 443 TCP traffic that belongs to Facebook (bunch of IP addresses are used by Facebook) at /ip firewall filter.
That’s what worried me.
So essentially, if facebook decide to tinker with their IP’s, next DNS refresh will render me helpless, unless i keep checking them constantly.
This example covers all known Facebook addresses:
/ip firewall address-list
add address=66.220.144.0/20 disabled=no list=facebook_ip_addresses
add address=69.63.176.0/20 disabled=no list=facebook_ip_addresses
add address=204.15.20.0/22 disabled=no list=facebook_ip_addresses
/ip firewall filter
add action=drop chain=forward disabled=no dst-address-list=\
facebook_ip_addresses dst-port=443 protocol=tcp
petrn
August 18, 2011, 6:50pm
5
Not really:
http://bgp.he.net/AS32934#_prefixes :
http://bgp.he.net/AS32934#_prefixes6 :
EDIT: IPv4 summarized:
You can easily add them to the address list
