i'm required to block all web traffic but allow only certain local county websites and the following too :
yahoo mail
google gmail
hotmail
outlook
i tried to use the access lists and added static and dynamic addresses for these websites and then added firewall filter role to accept access to this access-list i made and block others, it did not work for the yahoo, google, hotmail, outlook, and was very slow for the local website.
below is the command line for Firewall and access-list, appreciate your support.
Code: Select all
## Access-list config
/ip firewall address-list
add address=mail.google.com list=Access
add address=gmail.com list=Access
add address=www.gmail.com list=Access
add address=mail.yahoo.com list=Access
add address=yahoomail.com list=Access
add address=yahoo.com list=Access
add address=hotmail.com list=Access
add address=outlook.com list=Access
add address=www.outlook.com list=Access
##
## Firewall config
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
add action=accept chain=forward comment="Block Webaccess except Address-list" dst-address-list=Access dst-port=80,443 log-prefix=AcApt protocol=tcp src-address=192.168.96.0/20
add action=drop chain=forward comment="Block Webaccess except Address-list" disabled=yes dst-address-list=!Access dst-port=80,443 protocol=tcp src-address=192.168.96.0/20
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" disabled=yes dst-port=!8728,4040,8291,1982 in-interface=250.Office-ether1-gateway protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related log=yes log-prefix=FTC::
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=250.Office-ether1-gateway
add action=accept chain=input comment=Simple.Firewall disabled=yes protocol=icmp
add action=accept chain=input connection-state=established disabled=yes
add action=accept chain=input connection-state=related disabled=yes
add action=drop chain=input disabled=yes in-interface=\
250.Office-ether1-gateway
add action=accept chain=forward connection-state=established disabled=yes
add action=accept chain=forward connection-state=related disabled=yes
add action=drop chain=forward connection-state=invalid disabled=yes