Community discussions

 
xMikes04
just joined
Topic Author
Posts: 9
Joined: Thu Jan 03, 2013 9:52 am

Layer 7 facebook block

Tue Apr 02, 2013 2:13 pm

Hi guys,

In our company we want to block facebook page. So i decided to use layer 7 protocol. Iv put ^(.*)(facebook)(.*)$ as a regexp value and in firewall set this parameters.

/ip firewall layer7-protocol
add name="Deny worktime" regexp="^(.*)(facebook)(.*)\$"
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward disabled=no layer7-protocol="Deny worktime" \
src-address=192.168.5.1-192.168.5.49
add action=drop chain=forward disabled=yes layer7-protocol="Deny worktime" \
src-address=192.168.5.0/24 time=8h-12h,mon,tue,wed,thu,fri
add action=drop chain=forward disabled=yes layer7-protocol="Deny worktime" \
src-address=192.168.5.0/24 time=13h-17h,mon,tue,wed,thu,fri
add action=drop chain=forward disabled=no dst-port=443 layer7-protocol=\
"Deny worktime" protocol=tcp src-address=0.0.0.0/0 src-port=""
add action=drop chain=forward disabled=no dst-port=80 layer7-protocol=\
"Deny worktime" protocol=tcp src-address=0.0.0.0/0 src-port=""


Rule work perfectly BUT it block more page than facebook. And some page are available in chome and not in IE or firefox. Others are available in IE bud not in chrome... and so on... Facebook is blocked in all browsers

Any ideas?? :?
 
User avatar
cbrown
Trainer
Trainer
Posts: 1839
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

Re: Layer 7 facebook block

Tue Apr 02, 2013 6:12 pm

Using layer7 to block facebook causes a lot of problems. It is better to block facebook via IP addresses like this.

/ip firewall filter
add action=drop chain=forward comment="Block Facebook" dst-address=\
74.119.76.0/22
add action=drop chain=forward comment="Block Facebook" dst-address=\
173.252.64.0/18
add action=drop chain=forward comment="Block Facebook" dst-address=\
204.15.20.0/22
add action=drop chain=forward comment="Block Facebook" dst-address=\
66.220.144.0/20
add action=drop chain=forward comment="Block Facebook" dst-address=\
69.171.224.0/19
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179

Next Training
https://www.cbrown.co/2019/04/08/mtcna-june2019-wv/
 
xMikes04
just joined
Topic Author
Posts: 9
Joined: Thu Jan 03, 2013 9:52 am

Re: Layer 7 facebook block

Thu Apr 04, 2013 3:01 pm

All right ill try your way :) btw where u got thoose IPs?
 
User avatar
cbrown
Trainer
Trainer
Posts: 1839
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

Layer 7 facebook block

Fri Apr 05, 2013 1:02 am

C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179

Next Training
https://www.cbrown.co/2019/04/08/mtcna-june2019-wv/
 
xMikes04
just joined
Topic Author
Posts: 9
Joined: Thu Jan 03, 2013 9:52 am

Re: Layer 7 facebook block

Fri Apr 05, 2013 1:20 am

Oh thank you. Do u thing that will work what i did? I ping fb page and make that ip static record do dns. Then i make rules out of it. I did same for youtube and badoo.

And one more question. I need to block exe and msi files. Is it "save" solve it throu content?

Cheers ;-)

Odesláno z mého GT-I9300 pomocí Tapatalk 2
 
nysokheng
just joined
Posts: 2
Joined: Fri Aug 23, 2013 7:35 am

Re: Layer 7 facebook block

Fri Aug 23, 2013 7:38 am

Using layer7 to block facebook causes a lot of problems. It is better to block facebook via IP addresses like this.

/ip firewall filter
add action=drop chain=forward comment="Block Facebook" dst-address=\
74.119.76.0/22
add action=drop chain=forward comment="Block Facebook" dst-address=\
173.252.64.0/18
add action=drop chain=forward comment="Block Facebook" dst-address=\
204.15.20.0/22
add action=drop chain=forward comment="Block Facebook" dst-address=\
66.220.144.0/20
add action=drop chain=forward comment="Block Facebook" dst-address=\
69.171.224.0/19
Hi cbrown. I tested with your rules and it works. but now I want to block Youtube using the dst-address. but which ip should I use? I cannot get it working.
 
martinclaro
just joined
Posts: 6
Joined: Sat Sep 28, 2013 6:08 am
Location: Buenos Aires, Argentina
Contact:

Re: Layer 7 facebook block

Sat Sep 28, 2013 6:18 am

Also you can update those rules by using whois in a linux/unix/mac box running the following commands:

echo "/ip firewall filter" ; whois -h whois.radb.net -- '-i origin AS32934' | grep '^route:' | sort -n | uniq | awk '{print "add action=drop chain=forward comment=Facebook dst-address="$2}'

echo "/ipv6 firewall filter" ; whois -h whois.radb.net -- '-i origin AS32934' | grep '^route6:' | sort -n | uniq | awk '{print "add action=drop chain=forward comment=Facebook dst-address="$2}'

You can modify awk command to fit your needs.
Martín C. @ TopHost Soluciones
MTCNA / MTCTCE
CCR1009-7G-1C-1S+ / CHR / RB760iGS (hEX S) / RB962UiGS (hAP ac) / RB951G / mAP-2n / wAP-ac / RBwAPG-60ad-A (wAP 60G AP) / CRS326-24G-2S+
 
deejayq
Member Candidate
Member Candidate
Posts: 195
Joined: Wed Feb 23, 2011 8:33 am

Re: Layer 7 facebook block

Mon Sep 30, 2013 10:12 am

xMikes04, your regex layer7-protocol is ok but it should be used in dns requests
reject dns packets to any server with dst-port 53 and which hit the layer7-protocol
also fbcdn.net should be blocked
 
User avatar
saintofinternet
Forum Veteran
Forum Veteran
Posts: 757
Joined: Thu Oct 15, 2009 3:52 am

Re: Layer 7 facebook block

Wed Oct 02, 2013 4:35 pm

i want to allow the following:

gmail.com (only for emails)
yahoo.com (only for emails)
100.30.20.10
gregsowell.com
ports: 995, 465, 25, 110, and
ports: 8080, 8000 for only internal IP 192.168.1.101

i also have a L2TP+IPSEC VPN running on the same router right now....

everything else from inside the network should be blocked....

ETHER1 --> WAN with Fixed IP
ETHER2 to ETHER5 --> LAN Bridged Ports (IP RANGE: 192.168.1.150 - 192.168.1.250)
MASQUERADE --> ENABLED

i am getting pretty confused with all this above conditions.... all help in this is highly appreciated... please....help me!!!

Shifting from Pure Mikrotik Wireless to Firewall's from Mikrotik as an additional service....hence facing hurdles...
by professionals, for professionals....
Don't forget to give KARMA!!!
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: Layer 7 facebook block

Tue Oct 15, 2013 8:27 pm

i want to allow the following:

gmail.com (only for emails)
yahoo.com (only for emails)
100.30.20.10
gregsowell.com
ports: 995, 465, 25, 110, and
ports: 8080, 8000 for only internal IP 192.168.1.101
sound like a company scenario, in such cases i recommend to allow http traffic only via a proxy server. it much easier to make a URL based to filter such stuff. For example: To block/allow only parts of the google services you need to intercept the encrypted https connection anyway. Some proxies can do that but you clients need to install and trust the the proxies certificate, otherwise the browsers will complain and show a warning and that's absolutely correct because technical you're doing a man in the middle "attack".
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
ithink
newbie
Posts: 30
Joined: Sat Dec 01, 2012 12:57 pm
Location: Albania
Contact:

Re: Layer 7 facebook block

Mon Feb 24, 2014 4:32 pm

I want to allow the following:

gmail.com (only for emails)
yahoo.com (only for emails)
or another website with https port 443

1 ;;; WebProxy
chain=dstnat action=redirect to-ports=8080 protocol=tcp src-address=192.168.0.0/25 
     dst-port=80,443
All https are block and I want to expect two:
One for login in gmail account and the secont for login in another https://aaaaa.xxxx......

Is this posible because I make some test on web proxy access but nothing
 
RazorMK
just joined
Posts: 21
Joined: Wed Jan 14, 2015 9:08 am

Re: Layer 7 facebook block

Fri Jan 23, 2015 10:00 am

Using layer7 to block facebook causes a lot of problems. It is better to block facebook via IP addresses like this.

/ip firewall filter
add action=drop chain=forward comment="Block Facebook" dst-address=\
74.119.76.0/22
add action=drop chain=forward comment="Block Facebook" dst-address=\
173.252.64.0/18
add action=drop chain=forward comment="Block Facebook" dst-address=\
204.15.20.0/22
add action=drop chain=forward comment="Block Facebook" dst-address=\
66.220.144.0/20
add action=drop chain=forward comment="Block Facebook" dst-address=\
69.171.224.0/19
I added these and its blocked, but i want to make an exception for some ip's on the network, where can i put the addresses that i want to be able to access fb ?
 
User avatar
CyberTod
Long time Member
Long time Member
Posts: 511
Joined: Wed Jan 25, 2012 10:23 am

Re: Layer 7 facebook block

Fri Jan 23, 2015 10:05 am

Put another rule for any ip you want to access facebook above those with :
add action=accept chain=forward src-address=<allowed ip>

But this rule will allow them everything so if you have some other restrictions you need to arrange the order.
 
pfalzon
just joined
Posts: 1
Joined: Wed Feb 11, 2015 7:14 pm

Re: Layer 7 facebook block

Wed Feb 11, 2015 7:52 pm

Dear all,

I have been trying to block Facebook from our MikroTik router, but till now, I just can not manage. I have tried basically everything from blocking individual IP's to changing the DNS to point to openDNS (which was configured to block social networks) to using the layer7 method. Nothing. I am a bit lost to be honest, and I am quite new with MikroTik.

We currently have have two WLAN networks configured, one is corporate and the other one is a guest network. The guest network is fire-walled, so that no one can access the corporate LAN.

Image
 
loveman
Member
Member
Posts: 309
Joined: Tue Mar 10, 2015 9:32 pm

Re: Layer 7 facebook block

Fri Sep 25, 2015 11:48 pm

Hi
I need to block viber any one have idea
 
Akaii112
just joined
Posts: 1
Joined: Sat Sep 26, 2015 7:13 pm

Re: Layer 7 facebook block

Sat Sep 26, 2015 7:27 pm

well you can use squid to block fb but you have to use a modified version of squid to do it and you will need a box which can run it but once your setup and running it is smooth sailing, the dns blacklist and layer7 is unreliable so I use the ssl bumping to block fb at my work place I have set up two http/https redirect rules on the routerboard which is controlled via sheduling and set up filtering on the squid box based on acl which controls access. but ssl bumping is illegal even for Facebook in most cases, so consult with your legal folks at your company.
 
User avatar
dunga
Member Candidate
Member Candidate
Posts: 254
Joined: Fri Jan 23, 2009 9:51 am
Location: Nigeria

Re: Layer 7 facebook block

Tue Nov 03, 2015 4:45 pm

plz, I need these type of setup for our network. We want to block facebook for some staff from 9am(9:00 till 15hrs) but allow it for some systems, using their mac addresses to except them from the facebook blocking.

I need the steps and possible way of doing it.

Thanks
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1651
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Layer 7 facebook block

Tue Nov 03, 2015 5:07 pm

i use opendns
 
loveman
Member
Member
Posts: 309
Joined: Tue Mar 10, 2015 9:32 pm

Re: Layer 7 facebook block

Tue Nov 03, 2015 7:43 pm

i use opendns
Every think you can drop, block
With open dns?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1651
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Layer 7 facebook block

Tue Nov 03, 2015 8:43 pm

i use opendns
Every think you can drop, block
With open dns?

using opendns is an indirect way to block access to some sites avoiding to resolve dns to this sites
 
loveman
Member
Member
Posts: 309
Joined: Tue Mar 10, 2015 9:32 pm

Re: Layer 7 facebook block

Wed Nov 04, 2015 1:46 pm

i use opendns
Every think you can drop, block
With open dns?

using opendns is an indirect way to block access to some sites avoiding to resolve dns to this sites
Write your method buz i am and all one benefit from method
 
User avatar
hgonzale
Member Candidate
Member Candidate
Posts: 267
Joined: Thu Nov 06, 2014 1:12 pm
Location: Fuengirola, Spain
Contact:

Re: Layer 7 facebook block

Wed Nov 04, 2015 6:04 pm

You can setup in your mikrotik (if it is the DNS server and you redirect the other dns queries to itself) a static DNS entry for www.facebook.com to 10.0.0.1 (nonexistent IP) and "ready".
Is not pretty... but.... it could work
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1651
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Layer 7 facebook block

Wed Nov 04, 2015 6:05 pm

Write your method buz i am and all one benefit from method
1. Create a free personal account on https://www.opendns.com/

2. Login to opendns dashboard and set your ip, and filtering settings if you have dynamic wan ip you need to install client on some pc.

3. Activate dns cache on mikrotik, be sure of block inbound dns queries from internet to avoid amplification dns attack

4. Set dns on mikrotik to open dns servers 208.67.222.222-208.67.220.220

5. Set your dhcp setting to use mikrotik ip as dns for clients

6. Test your config, take in mind some changes on opendns take up to 10 minutes to be effective sometimes require clean dns cache on mikrotik and client.

7. If you have some clever users changing client machine dns you have to block in the firewall.
 
loveman
Member
Member
Posts: 309
Joined: Tue Mar 10, 2015 9:32 pm

Re: Layer 7 facebook block

Fri Nov 06, 2015 11:20 pm

Write your method buz i am and all one benefit from method
1. Create a free personal account on https://www.opendns.com/

2. Login to opendns dashboard and set your ip, and filtering settings if you have dynamic wan ip you need to install client on some pc.

3. Activate dns cache on mikrotik, be sure of block inbound dns queries from internet to avoid amplification dns attack

4. Set dns on mikrotik to open dns servers 208.67.222.222-208.67.220.220

5. Set your dhcp setting to use mikrotik ip as dns for clients

6. Test your config, take in mind some changes on opendns take up to 10 minutes to be effective sometimes require clean dns cache on mikrotik and client.

7. If you have some clever users changing client machine dns you have to block in the firewall.
Thank you
208.67.222.222-208.67.220.220 , this ip take you a example or ip for open dns?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1651
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Layer 7 facebook block

Fri Nov 06, 2015 11:44 pm

 
loveman
Member
Member
Posts: 309
Joined: Tue Mar 10, 2015 9:32 pm

Re: Layer 7 facebook block

Sat Nov 07, 2015 7:28 am

 
dzeisons
just joined
Posts: 6
Joined: Mon Aug 09, 2010 11:40 am

Re: Layer 7 facebook block

Wed May 31, 2017 5:20 pm

Hi!
But is it possible to make regexp to work only for specific file, for example www.mysite.com/something.php ???
So the main site is working, but something.php - not.
 
SilverNodashi
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Mon Sep 04, 2017 4:18 pm
Location: South Africa
Contact:

Re: Layer 7 facebook block

Tue Sep 05, 2017 10:07 am

Using layer7 to block facebook causes a lot of problems. It is better to block facebook via IP addresses like this.

/ip firewall filter
add action=drop chain=forward comment="Block Facebook" dst-address=\
74.119.76.0/22
add action=drop chain=forward comment="Block Facebook" dst-address=\
173.252.64.0/18
add action=drop chain=forward comment="Block Facebook" dst-address=\
204.15.20.0/22
add action=drop chain=forward comment="Block Facebook" dst-address=\
66.220.144.0/20
add action=drop chain=forward comment="Block Facebook" dst-address=\
69.171.224.0/19

Please explain why it's a bad idea to use Layer7 to block Facebook and other websites?
 
msatter
Forum Guru
Forum Guru
Posts: 1161
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Layer 7 facebook block

Tue Sep 05, 2017 12:25 pm

Blocking Facebook by direct IP is ISP depended because for each different ISP facebook can supply dedicated servers. When you use the use the DNS from your provider then you reach the facebook servers in the network of the ISP.

If you use the DNS from Google or OpenDNS the you go Facebook central. Even Google can filter your DNS request if the put their DNS server in your country and then direct to facebook servers in your country.

The only good way to block sites is doing with an own DNS, filtering xxx.xxx.facebook.com by only .facebook.com filter string.

Link to blocking by DNSMasq: viewtopic.php?f=13&t=118980&hilit=Facebook#p586318

Facebook, WhatsApp and Instagram.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.10
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
ebreyit
Member Candidate
Member Candidate
Posts: 118
Joined: Tue Apr 30, 2013 11:44 am
Location: Shropshire, United Kingdom

Re: Layer 7 facebook block

Mon Sep 11, 2017 2:06 am

Firewall address list supports domain names and dynamically adds IP entry to same address list.

Provided you use the Mikrotik as the DNS server it will always server up the same IP address/s of the specified domains and subsequently drop the traffic


Add address as follows
 ip firewall address-list add address=facebook.com list=blocked
 ip firewall address-list add address=www.facebook.com list=blocked
etc

then add a new firewall rule to drop the traffic and make sure it's in the right position in your firewall rules
 ip firewall filter add chain=forward dst-address-list=blocked action=drop
Or you could
 ip firewall filter add chain=forward dst-address-list=blocked action=reject reject-with=icmp-host-prohibited

Who is online

Users browsing this forum: No registered users and 30 guests