Code: Select all
/ip firewall filter
add chain=forward dst-port=443 protocol=tcp tls-host=*youtube* action=reject src-address=10.10.10.0/24 place-before 0l
/ip firewall filter
add chain=forward dst-port=443 protocol=tcp tls-host=*youtube* action=reject src-address=10.10.10.0/24 place-before 0l
chain=forward action=reject reject-with=icmp-network-unreachable
protocol=tcp log=no log-prefix="" tls-host=*youtube*
This rule can only work if placed before the "accept established,related" one, and if fasttracking is disabled. The reason is that the TCP session has already been established when the Client Hello carrying the TLS host name passes through the firewall. And it cannot work for QUIC as @Jotne has properly mentioned, because QUIC uses UDP as transport and the tls-host matcher only handles TCP. So devices/browsers using QUIC escape that rule.This rule works fine for me:
Code: Select allchain=forward action=reject reject-with=icmp-network-unreachable protocol=tcp log=no log-prefix="" tls-host=*youtube*
That requires you to break the security of https. Not something you would want to do in the long run, and also not something that will be tolerated by websites forever.As I have written before, you can have full control and block stuff by using products like Forecepoint.
To make this to work, you need to have full control of the client as well, some you can do with company polices.
I'm working on some projects with Palo Alto equipment.As I have written before, you can have full control and block stuff by using products like Forecepoint.
To make this to work, you need to have full control of the client as well, some you can do with company polices.
That requires you to break the security of https. Not something you would want to do in the long run, and also not something that will be tolerated by websites forever.
(there are all kinds of efforts to bind the specific certificate in use to a specific website, so the fake cert used by such projects is flagged as untrusted)
The big problem with that is that it trains your muscle memory to always "accept a certificate" because you get that warning over and over again.There are many company doing this. Like the one I am working in (has been like this for 7-8 years). When I click on a certificate of a site, like cnn.com, it does show our company certificate. I do not see any problem about this, since when you work for some, you should follow the rules they have.