Community discussions

MikroTik App
 
morteza87
just joined
Topic Author
Posts: 5
Joined: Sun Feb 16, 2020 8:07 am

problem exclude some ip from firewall block rule

Mon Sep 07, 2020 10:49 am

Hi
I want to exclude some IP addresses from a rule that block yahoo mail. here is what i did:

chain=forward action=accept src-address-list=IT content=mail.yahoo log=no log-prefix=""
chain=forward action=accept src-address-list=IT content=login.yahoo log=no log-prefix=""
chain=forward action=drop content=mail.yahoo log=no log-prefix=""
chain=forward action=drop content=login.yahoo log=no log-prefix=""

the rule order is as I mentioned here, but no success. I also add a rule to accept my MAC Address at the first but it not work too.
any suggestion is welcomed and thank you in advanced!!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: problem exclude some ip from firewall block rule

Wed May 12, 2021 10:27 am

You can not see "contents" inside https connection
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 197
Joined: Wed Aug 09, 2017 1:15 pm

Re: problem exclude some ip from firewall block rule

Wed May 12, 2021 12:19 pm

/ip firewall filter add action=accept chain=forward dst-port=443 protocol=tcp tls-host=*.yahoo.com,yahoo.com src-address-list=IT
/ip firewall filter add action=reject chain=forward dst-port=443 protocol=tcp reject-with=icmp-admin-prohibited tls-host=*.yahoo.com,yahoo.com

you may also want to block QUIC altogether, so people can't bypass these rules when using chrome-based browsers:
/ip firewall filter add action=reject chain=forward dst-port=80,443 protocol=udp reject-with=icmp-admin-prohibited

Also keep in mind, when you install these rules, if there's already a session in connection tracking, you can still access yahoo until the session times out or you remove it manually.
 
morteza87
just joined
Topic Author
Posts: 5
Joined: Sun Feb 16, 2020 8:07 am

Re: problem exclude some ip from firewall block rule

Wed May 12, 2021 3:03 pm

/ip firewall filter add action=accept chain=forward dst-port=443 protocol=tcp tls-host=*.yahoo.com,yahoo.com src-address-list=IT
/ip firewall filter add action=reject chain=forward dst-port=443 protocol=tcp reject-with=icmp-admin-prohibited tls-host=*.yahoo.com,yahoo.com

you may also want to block QUIC altogether, so people can't bypass these rules when using chrome-based browsers:
/ip firewall filter add action=reject chain=forward dst-port=80,443 protocol=udp reject-with=icmp-admin-prohibited

Also keep in mind, when you install these rules, if there's already a session in connection tracking, you can still access yahoo until the session times out or you remove it manually.
Thank you for toue response and sorry I missed the topic.
i put the rules as you mentioned but no success! the yahoo opens for all!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: problem exclude some ip from firewall block rule

Wed May 12, 2021 3:13 pm

Do not waste your time to detect https connections, it's impossible from url-content-or-dns-side
(tls-host stop working with tls 1.3+)
Read the pools from AS number on arin.net / ripe.net and put in one address list, like facebook for me.

set as first firewall raw (not filter but RAW section) rule to drop all prerouting from facebook list and second rule to drop all prerouting to facebook list

https://bgp.he.net/AS32934#_prefixes
/ip firewall address-list
add address=103.4.96.0/22 list=lista_ip_facebook
add address=129.134.0.0/17 list=lista_ip_facebook
add address=157.240.0.0/17 list=lista_ip_facebook
add address=157.240.1.0/24 list=lista_ip_facebook
add address=157.240.10.0/24 list=lista_ip_facebook
add address=157.240.11.0/24 list=lista_ip_facebook
add address=157.240.12.0/24 list=lista_ip_facebook
add address=157.240.13.0/24 list=lista_ip_facebook
add address=157.240.14.0/24 list=lista_ip_facebook
add address=157.240.15.0/24 list=lista_ip_facebook
add address=157.240.16.0/24 list=lista_ip_facebook
add address=157.240.18.0/24 list=lista_ip_facebook
add address=157.240.19.0/24 list=lista_ip_facebook
add address=157.240.2.0/24 list=lista_ip_facebook
add address=157.240.20.0/24 list=lista_ip_facebook
add address=157.240.21.0/24 list=lista_ip_facebook
add address=157.240.22.0/24 list=lista_ip_facebook
add address=157.240.23.0/24 list=lista_ip_facebook
add address=157.240.24.0/24 list=lista_ip_facebook
add address=157.240.25.0/24 list=lista_ip_facebook
add address=157.240.29.0/24 list=lista_ip_facebook
add address=157.240.3.0/24 list=lista_ip_facebook
add address=157.240.6.0/24 list=lista_ip_facebook
add address=157.240.7.0/24 list=lista_ip_facebook
add address=157.240.8.0/24 list=lista_ip_facebook
add address=157.240.9.0/24 list=lista_ip_facebook
add address=173.252.64.0/19 list=lista_ip_facebook
add address=173.252.88.0/21 list=lista_ip_facebook
add address=173.252.96.0/19 list=lista_ip_facebook
add address=179.60.192.0/22 list=lista_ip_facebook
add address=179.60.192.0/24 list=lista_ip_facebook
add address=179.60.193.0/24 list=lista_ip_facebook
add address=179.60.194.0/24 list=lista_ip_facebook
add address=179.60.195.0/24 list=lista_ip_facebook
add address=185.60.216.0/22 list=lista_ip_facebook
add address=185.60.216.0/24 list=lista_ip_facebook
add address=185.60.217.0/24 list=lista_ip_facebook
add address=185.60.218.0/24 list=lista_ip_facebook
add address=185.60.219.0/24 list=lista_ip_facebook
add address=204.15.20.0/22 list=lista_ip_facebook
add address=31.13.24.0/21 list=lista_ip_facebook
add address=31.13.64.0/18 list=lista_ip_facebook
add address=31.13.64.0/19 list=lista_ip_facebook
add address=31.13.64.0/24 list=lista_ip_facebook
add address=31.13.65.0/24 list=lista_ip_facebook
add address=31.13.66.0/24 list=lista_ip_facebook
add address=31.13.67.0/24 list=lista_ip_facebook
add address=31.13.68.0/24 list=lista_ip_facebook
add address=31.13.69.0/24 list=lista_ip_facebook
add address=31.13.70.0/24 list=lista_ip_facebook
add address=31.13.71.0/24 list=lista_ip_facebook
add address=31.13.72.0/24 list=lista_ip_facebook
add address=31.13.73.0/24 list=lista_ip_facebook
add address=31.13.74.0/24 list=lista_ip_facebook
add address=31.13.75.0/24 list=lista_ip_facebook
add address=31.13.76.0/24 list=lista_ip_facebook
add address=31.13.79.0/24 list=lista_ip_facebook
add address=31.13.80.0/24 list=lista_ip_facebook
add address=31.13.81.0/24 list=lista_ip_facebook
add address=31.13.82.0/24 list=lista_ip_facebook
add address=31.13.83.0/24 list=lista_ip_facebook
add address=31.13.84.0/24 list=lista_ip_facebook
add address=31.13.85.0/24 list=lista_ip_facebook
add address=31.13.86.0/24 list=lista_ip_facebook
add address=31.13.87.0/24 list=lista_ip_facebook
add address=31.13.89.0/24 list=lista_ip_facebook
add address=31.13.90.0/24 list=lista_ip_facebook
add address=31.13.91.0/24 list=lista_ip_facebook
add address=31.13.92.0/24 list=lista_ip_facebook
add address=31.13.93.0/24 list=lista_ip_facebook
add address=31.13.94.0/24 list=lista_ip_facebook
add address=31.13.95.0/24 list=lista_ip_facebook
add address=31.13.96.0/19 list=lista_ip_facebook
add address=45.64.40.0/22 list=lista_ip_facebook
add address=66.220.144.0/20 list=lista_ip_facebook
add address=66.220.144.0/21 list=lista_ip_facebook
add address=66.220.152.0/21 list=lista_ip_facebook
add address=69.171.224.0/19 list=lista_ip_facebook
add address=69.171.224.0/20 list=lista_ip_facebook
add address=69.171.239.0/24 list=lista_ip_facebook
add address=69.171.240.0/20 list=lista_ip_facebook
add address=69.171.250.0/24 list=lista_ip_facebook
add address=69.171.255.0/24 list=lista_ip_facebook
add address=69.63.176.0/20 list=lista_ip_facebook
add address=69.63.176.0/21 list=lista_ip_facebook
add address=69.63.184.0/21 list=lista_ip_facebook
add address=74.119.76.0/22 list=lista_ip_facebook
add address=102.132.96.0/20 list=lista_ip_facebook
add address=102.132.96.0/24 list=lista_ip_facebook
add address=129.134.25.0/24 list=lista_ip_facebook
add address=129.134.26.0/24 list=lista_ip_facebook
add address=129.134.27.0/24 list=lista_ip_facebook
add address=129.134.28.0/24 list=lista_ip_facebook
add address=129.134.29.0/24 list=lista_ip_facebook
add address=129.134.30.0/23 list=lista_ip_facebook
add address=129.134.30.0/24 list=lista_ip_facebook
add address=129.134.31.0/24 list=lista_ip_facebook
add address=157.240.17.0/24 list=lista_ip_facebook
add address=157.240.192.0/18 list=lista_ip_facebook
add address=157.240.193.0/24 list=lista_ip_facebook
add address=157.240.194.0/24 list=lista_ip_facebook
add address=157.240.195.0/24 list=lista_ip_facebook
add address=157.240.196.0/24 list=lista_ip_facebook
add address=157.240.197.0/24 list=lista_ip_facebook
add address=157.240.200.0/24 list=lista_ip_facebook
add address=157.240.201.0/24 list=lista_ip_facebook
add address=157.240.203.0/24 list=lista_ip_facebook
add address=157.240.204.0/24 list=lista_ip_facebook
add address=157.240.206.0/24 list=lista_ip_facebook
add address=157.240.207.0/24 list=lista_ip_facebook
add address=157.240.210.0/24 list=lista_ip_facebook
add address=157.240.212.0/24 list=lista_ip_facebook
add address=157.240.214.0/24 list=lista_ip_facebook
add address=157.240.215.0/24 list=lista_ip_facebook
add address=157.240.216.0/24 list=lista_ip_facebook
add address=157.240.217.0/24 list=lista_ip_facebook
add address=157.240.218.0/24 list=lista_ip_facebook
add address=157.240.220.0/24 list=lista_ip_facebook
add address=157.240.222.0/24 list=lista_ip_facebook
add address=157.240.26.0/24 list=lista_ip_facebook
add address=157.240.27.0/24 list=lista_ip_facebook
add address=157.240.28.0/24 list=lista_ip_facebook
add address=157.240.30.0/24 list=lista_ip_facebook
add address=185.89.218.0/23 list=lista_ip_facebook
add address=185.89.218.0/24 list=lista_ip_facebook
add address=185.89.219.0/24 list=lista_ip_facebook
add address=31.13.77.0/24 list=lista_ip_facebook

Windows Update sites:
https://docs.microsoft.com/en-us/window ... e-editions

Telemetry (YES...) IP:
13.64.90.137
13.68.31.193
13.69.131.175
13.66.56.243
13.68.82.8
13.68.92.143
13.73.26.107
13.74.169.109
13.78.130.220
13.78.232.226
13.78.233.133
13.88.21.125
13.92.194.212
13.104.215.69
20.44.86.43
20.49.150.241
20.54.110.119
20.60.20.4
20.189.74.153
23.99.49.121
23.102.4.253
23.102.5.5
23.102.21.4
23.103.182.126
40.68.222.212
40.69.153.67
40.70.184.83
40.70.220.248
40.70.221.249
40.77.228.47
40.77.228.87
40.77.228.92
40.77.232.101
40.78.128.150
40.79.85.125
40.88.32.150
40.90.221.9
40.112.209.200
40.115.3.210
40.115.119.185
40.119.211.203
40.124.34.70
40.127.240.158
51.103.5.186
51.104.136.2
51.124.78.146
51.140.40.236
51.140.157.153
51.143.53.152
51.143.111.7
51.143.111.81
51.144.227.73
52.147.198.201
52.138.204.217
52.138.216.83
52.155.94.78
52.155.172.105
52.157.234.37
52.158.208.111
52.164.241.205
52.169.189.83
52.170.83.19
52.174.22.246
52.178.147.240
52.178.151.212
52.178.178.16
52.178.223.23
52.183.114.173
52.184.221.185
52.229.39.152
52.230.85.180
52.230.222.68
52.236.42.239
52.236.43.202
52.255.188.83
65.52.100.7
65.52.100.9
65.52.100.11
65.52.100.91
65.52.100.92
65.52.100.93
65.52.100.94
65.52.161.64
65.55.29.238
65.55.44.51
65.55.44.54
65.55.44.108
65.55.44.109
65.55.83.120
65.55.113.11
65.55.113.12
65.55.113.13
65.55.176.90
65.55.252.43
65.55.252.63
65.55.252.70
65.55.252.71
65.55.252.72
65.55.252.93
65.55.252.190
65.55.252.202
66.119.147.131
104.41.207.73
104.42.151.234
104.43.137.66
104.43.139.21
104.43.140.223
104.43.193.48
104.43.228.53
104.43.228.202
104.43.237.169
104.45.11.195
104.45.214.112
104.46.1.211
104.46.38.64
104.210.4.77
104.210.40.87
104.210.212.243
104.214.35.244
104.214.78.152
131.253.6.87
131.253.6.103
131.253.34.230
131.253.34.234
131.253.34.237
131.253.34.243
131.253.34.246
131.253.34.247
131.253.34.249
131.253.34.252
131.253.34.255
131.253.40.37
134.170.30.202
134.170.30.203
134.170.30.204
134.170.30.221
134.170.52.151
134.170.235.16
157.56.74.250
157.56.91.77
157.56.106.184
157.56.106.185
157.56.106.189
157.56.113.217
157.56.121.89
157.56.124.87
157.56.149.250
157.56.194.72
157.56.194.73
157.56.194.74
168.61.24.141
168.61.146.25
168.61.149.17
168.61.161.212
168.61.172.71
168.62.187.13
168.63.100.61
168.63.108.233
191.236.155.80
191.237.218.239
191.239.50.18
191.239.50.77
191.239.52.100
191.239.54.52
207.68.166.254


Windows Update IP:
13.68.87.47
13.68.87.175
13.68.88.129
13.68.93.109
13.74.179.117
13.78.168.230
13.78.177.144
13.78.179.199
13.78.180.50
13.78.180.90
13.78.184.44
13.78.184.186
13.78.186.254
13.78.187.58
13.78.230.134
13.83.148.218
13.83.148.235
13.83.149.5
13.83.149.67
13.83.151.160
13.86.124.174
13.86.124.184
13.86.124.191
13.92.211.120
13.107.4.50
13.107.4.52
13.107.4.254
20.36.218.63
20.36.218.70
20.36.222.39
20.36.252.130
20.41.41.23
20.42.24.29
20.42.24.50
20.44.77.24
20.44.77.45
20.44.77.49
20.44.77.219
20.45.4.77
20.45.4.178
20.54.24.69
20.54.24.79
20.54.24.148
20.54.24.169
20.54.24.231
20.54.24.246
20.54.25.4
20.54.25.16
20.54.89.15
20.54.89.106
20.185.109.208
20.186.48.46
20.188.74.161
20.188.78.184
20.188.78.185
20.190.3.175
20.190.9.86
20.191.46.109
20.191.46.211
23.103.189.125
23.103.189.126
23.103.189.157
23.103.189.158
40.67.248.104
40.67.251.132
40.67.251.134
40.67.252.175
40.67.252.206
40.67.253.249
40.67.254.36
40.67.254.97
40.67.255.199
40.69.216.73
40.69.216.129
40.69.216.251
40.69.218.62
40.69.219.197
40.69.220.46
40.69.221.239
40.69.222.109
40.69.223.39
40.69.223.198
40.70.224.144
40.70.224.145
40.70.224.147
40.70.224.148
40.70.229.150
40.77.18.167
40.77.224.8
40.77.224.11
40.77.224.145
40.77.224.254
40.77.226.13
40.77.226.181
40.77.226.246
40.77.226.247
40.77.226.248
40.77.226.249
40.77.226.250
40.77.229.8
40.77.229.9
40.77.229.12
40.77.229.13
40.77.229.16
40.77.229.21
40.77.229.22
40.77.229.24
40.77.229.26
40.77.229.27
40.77.229.29
40.77.229.30
40.77.229.32
40.77.229.35
40.77.229.38
40.77.229.44
40.77.229.45
40.77.229.50
40.77.229.53
40.77.229.62
40.77.229.65
40.77.229.67
40.77.229.69
40.77.229.70
40.77.229.71
40.77.229.74
40.77.229.76
40.77.229.80
40.77.229.81
40.77.229.82
40.77.229.88
40.77.229.118
40.77.229.123
40.77.229.128
40.77.229.133
40.77.229.141
40.77.229.199
40.79.65.78
40.79.65.123
40.79.65.235
40.79.65.237
40.79.66.194
40.79.66.209
40.79.67.176
40.79.70.158
40.91.73.169
40.91.73.219
40.91.75.5
40.91.80.89
40.91.91.94
40.91.120.196
40.91.122.44
40.125.122.151
40.125.122.176
51.104.162.50
51.104.162.168
51.104.164.114
51.104.167.48
51.104.167.186
51.104.167.245
51.104.167.255
51.105.249.223
51.105.249.228
51.105.249.239
52.142.21.136
52.137.102.105
52.137.103.96
52.137.103.130
52.137.110.235
52.142.21.137
52.142.21.140
52.143.80.209
52.143.81.222
52.143.84.45
52.143.86.214
52.143.87.28
52.147.176.8
52.148.148.114
52.152.108.96
52.152.110.14
52.155.95.90
52.155.115.56
52.155.169.137
52.155.183.99
52.155.217.156
52.155.223.194
52.156.144.83
52.158.114.119
52.158.122.14
52.161.15.246
52.164.221.179
52.164.226.245
52.167.222.82
52.167.222.147
52.167.223.135
52.169.82.131
52.169.83.3
52.169.87.42
52.169.123.48
52.175.23.79
52.177.164.251
52.177.247.15
52.178.192.146
52.179.216.235
52.179.219.14
52.183.47.176
52.183.118.171
52.184.152.136
52.184.155.206
52.184.212.181
52.184.213.21
52.184.213.187
52.184.214.53
52.184.214.123
52.184.214.139
52.184.216.174
52.184.216.226
52.184.216.246
52.184.217.20
52.184.217.37
52.184.217.56
52.187.60.107
52.188.72.233
52.226.130.114
52.229.170.171
52.229.170.224
52.229.171.86
52.229.171.202
52.229.172.155
52.229.174.29
52.229.174.172
52.229.174.233
52.229.175.79
52.230.216.17
52.230.216.157
52.230.220.159
52.230.223.92
52.230.223.167
52.232.225.93
52.242.97.97
52.242.101.226
52.242.231.32
52.242.231.33
52.242.231.35
52.242.231.36
52.248.96.36
52.249.24.101
52.249.58.51
52.250.46.232
52.250.46.237
52.250.195.200
52.250.195.206
52.250.195.207
52.253.130.84
52.254.106.61
64.4.27.50
65.52.108.29
65.52.108.33
65.52.108.59
65.52.108.90
65.52.108.92
65.52.108.153
65.52.108.154
65.52.108.185
65.55.242.254
66.119.144.157
66.119.144.158
66.119.144.189
66.119.144.190
67.26.27.254
104.45.177.233
111.221.29.40
134.170.51.187
134.170.51.188
134.170.51.190
134.170.51.246
134.170.51.247
134.170.51.248
134.170.53.29
134.170.53.30
134.170.115.55
134.170.115.56
134.170.115.60
134.170.115.62
134.170.165.248
134.170.165.249
134.170.165.251
134.170.165.253
137.135.62.92
157.55.133.204
157.55.240.89
157.55.240.126
157.55.240.220
157.56.77.138
157.56.77.139
157.56.77.140
157.56.77.141
157.56.77.148
157.56.77.149
157.56.96.54
157.56.96.58
157.56.96.123
157.56.96.157
191.232.80.53
191.232.80.58
191.232.80.60
191.232.80.62
191.232.139.2
191.232.139.182
191.232.139.253
191.232.139.254
191.234.72.183
191.234.72.186
191.234.72.188
191.234.72.190
207.46.114.58
207.46.114.61

Who is online

Users browsing this forum: DeltaCreek, Fasder, korg, stevencameron16, TeWe and 76 guests