Community discussions

 
3liswaid
newbie
Topic Author
Posts: 44
Joined: Thu Feb 14, 2019 5:12 pm
Location: Syria
Contact:

Help: Allow only Facebook by domain

Thu May 02, 2019 2:49 pm

Hi,
i'm trying to allow access only for Facebook for my users.
but i failed.
all i did is to mark Facebook connection and i succeeded. then i allowed this connection then i put a rule to drop others
can you help me?
 
3liswaid
newbie
Topic Author
Posts: 44
Joined: Thu Feb 14, 2019 5:12 pm
Location: Syria
Contact:

Re: Help: Allow only Facebook by domain

Fri May 03, 2019 10:14 am

any idea?
i tried to block facebook and allow all
but the hard thing is to allow facebook and block all
 
pe1chl
Forum Guru
Forum Guru
Posts: 5927
Joined: Mon Jun 08, 2015 12:09 pm

Re: Help: Allow only Facebook by domain

Fri May 03, 2019 10:26 am

you are right, that is quite hard to do. maybe even impossible.
 
3liswaid
newbie
Topic Author
Posts: 44
Joined: Thu Feb 14, 2019 5:12 pm
Location: Syria
Contact:

Re: Help: Allow only Facebook by domain

Fri May 03, 2019 10:54 am

you are right, that is quite hard to do. maybe even impossible.
i'm intending to apply this configuration to allow users to browsers FB whatsapp.
cause i will use a 3G Modem with the Router.
i can't afford them to download torrent or browse videos
i just want to give them social media browsing
 
User avatar
inteq
Member Candidate
Member Candidate
Posts: 119
Joined: Wed Feb 25, 2015 8:15 pm

Re: Help: Allow only Facebook by domain

Fri May 03, 2019 11:58 am

Then allow internet access only to port 80 and 443 and drop the rest to limit p2p usage.
You can also limit your users by download size to save bandwidth.
 
User avatar
nichky
Long time Member
Long time Member
Posts: 531
Joined: Tue Jun 23, 2015 2:35 pm

Re: Help: Allow only Facebook by domain

Fri May 03, 2019 11:44 pm

i'm wondering what sindy recommends about that.
Nikola Suminoski
MikroTik Consultan
MTCRE l MTCWE

!) Safe Mode is your friend;
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Help: Allow only Facebook by domain

Sat May 04, 2019 3:07 am

My first thought would be to find the right method for blocking Facebook and do the opposite. So obviously not all are suitable for this, but the one that uses their network addresses (AS63293, AS54115, AS32934) looks like it could work.

It's not exactly what was requested (by domain), but it sort of works. If I allow access to these addresses and block the rest, www.facebook.com loads while other sites don't. Unfortunately, they don't use only these addresses. Right on the first page I have missing images from scontent.fprg2-1.fna.fbcdn.net, which I guess is some local cache, and the IP address belongs to different subject. I don't have an account to check what's missing inside, but I'm almost sure there will be something too. Plus if one of the goals is to block videos, they do have them too, don't they?

Other way, which would really be by domain, would be some transparent TCP proxy that would understand TLS handshakes and since requested hostname is sent readable for SNI (at least for now, but plans to encrypt it already exist), it could allow connections to selected domains and block the rest. I don't know if such proxy exists, probably yes, but it's not in RouterOS. Downside is that you'd have to find all domains that Facebook needs to work (maybe there's not a lot of them and it could be easy, but I have no idea). But there would still be a risk that some domains may be shared for stuff that you want to allow and other that you don't.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
cieplik206
Trainer
Trainer
Posts: 286
Joined: Sun Jul 01, 2007 12:25 am
Contact:

Re: Help: Allow only Facebook by domain

Sat May 04, 2019 7:47 am

any idea?
i tried to block facebook and allow all
but the hard thing is to allow facebook and block all

Silly question but did you allowed dns traffic as well?
https://www.wispcasts.com - Mikrotik Video Tutorials.

The best place where you can improve your skills!

Facebook - F/wispcasts
Twitter - @wispcasts
 
pe1chl
Forum Guru
Forum Guru
Posts: 5927
Joined: Mon Jun 08, 2015 12:09 pm

Re: Help: Allow only Facebook by domain

Sat May 04, 2019 10:53 am

Unfortunately, they don't use only these addresses. Right on the first page I have missing images from scontent.fprg2-1.fna.fbcdn.net, which I guess is some local cache, and the IP address belongs to different subject.
THAT is the big problem!
A webpage is not a single file that is downloaded from the server pointed by the domain name you enter.
It is not like your device makes a connection to facebook.com and then receives some big file containing an image of what you see there.
Instead, a webpage consists of many different elements (HTML text, stylesheets, scripts, images etc) and only the topmost file comes from the server you visit, all the others can (AND DO) come from different servers, often even things like "Content Delivery Networks" (cdn, as you see in the fbcdn in the name above) that not necessarily are from the same company that serves you the website.

This makes it "very difficult" (or maybe "impossible") to do what the topic starter wants, as I already wrote.
Blocking is similarly difficult, but there you have more chance because you can block a single very important item (like the toplevel HTML file) that makes the entire page unusable, and the user thinks the site is blocked and goes off doing something else. Hopefully.
(but a technically more advanced user will know tricks to fetch the site through other intermediates, like proxies or VPN, to work around that)
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: Help: Allow only Facebook by domain

Sat May 04, 2019 1:55 pm

If the question was about any other random website, I'd probably jump to "impossible" right away, because typical website now loads various libraries and frameworks from ten different sources (I very much dislike this approach, but that's another story). I just thought that maybe such big company as FB with tons of own networks could be hosting all own stuff there. So it would still break all external stuff possibly linked by users, but at least it could work well enough to be usable.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
sindy
Forum Guru
Forum Guru
Posts: 4012
Joined: Mon Dec 04, 2017 9:19 pm

Re: Help: Allow only Facebook by domain

Sat May 04, 2019 2:06 pm

i'm wondering what sindy recommends about that.
I came too late to write anything relevant that @Sob and @pe1chl haven't already written.

If I had to address the same issue, I'd follow @inteq's recommendation to limit bandwith. Limiting download size is tricky because you can actually only limit the amount of data transferred within a single TCP (or maybe even QUIC) session, but well-written applications reuse each TCP session for several transfers to avoid ephemeral port exhaustion which is caused by the 2'30" guard time after closing a session before the same socket can be used for a new TCP session to the same destination, and the browsers often annoy the user if they get an unexpected TCP reset.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Google [Bot] and 76 guests