hi all, i want to block https://www.facebook.com,
how can i block that..?


thanks

you must use transparent proxy, then you can block sites by host name

http://wiki.mikrotik.com/wiki/How_to_Bl ... sing_Proxy

you must use transparent proxy, then you can block sites by host name

http://wiki.mikrotik.com/wiki/How_to_Bl ... sing_Proxy

i am already using proxy on mikrotik, i can block http://www.facebook.com, but i can not block https://www.facebook.com.
i want to block https:

need help bro..?

proxy doesn't work with HTTPS sites, you need to find out the IP addresses that Facebook uses and block them with the firewall.


This should be a start:

proxy doesn't work with HTTPS sites, you need to find out the IP addresses that Facebook uses and block them with the firewall.


This should be a start:

Code: Select all

C:\Users\Normis>nslookup facebook.com

Non-authoritative answer:
Name:    facebook.com
Addresses:  69.63.189.16
          69.63.181.11
          69.63.181.12
          69.63.189.11

so, you mean i must block the facebook ip right..?

Yes, those four ips. Block port 443 for https.

Yes, those four ips. Block port 443 for https.

can you show me how to block using command line please..?

thanks

Refer to the manual for details

Code: Select all

/ip firewall filter add chain=forward action=drop dst-address=a.b.c.d

Refer to the manual for details

thanks bro, i am already block my facebook

So, it makes no sense to use the web proxy, but a firewall filter rule instead for any "facebook" browsing right? I didn't try it, but I guess that blocking those 4 IPs is enough...

One little question about transparent proxy. I have it running, but when I check web proxy status out, "cache used" is always 0 KiB. What could be going on?

You need to setup a store for the webproxy to use.

I have rOS v. 3.30. Web-proxy1 store is already activated.

I guess news sites should not be cached, but, an institutional site with almost static contents I guess it should!

Any other suggestions? This is my config:

there any way to convert https to http on facebook

block facebook https

Code: Select all

/ip firewall filter
add action=drop chain=forward comment="block facebook https" content=facebook disabled=no dst-port=443 protocol=tcp

block facebook https

And unfortunately every https website that might have the term facebook. This will provide many false positives.

/ip firewall filter
add action=drop chain=forward comment="block facebook https" content=facebook disabled=no dst-port=443 protocol=tcp

I don't know why but this solution is not working for me.

I know that https traffic is encrypted, should mikrotik decrypt this traffic and see the content facebook?
I also have tried to block facebook IP's but now this site have a lot of servers and IP's, it always find an other way to connect.

I was thinking about redirecting from DNS query, I mean if lan pc's requesting facebook to froward a local IP address to them, trough DNS response.
But I'm not sure how to do that.
I will appreciate your help.
Thanks!

I know that https traffic is encrypted, should mikrotik decrypt this traffic and see the content facebook?

That's the whole point of encryption, nobody on the way can decrypt it. If it was possible, it would be useless.

I was thinking about redirecting from DNS query, I mean if lan pc's requesting facebook to froward a local IP address to them, trough DNS response.

If your users are using your dns server, you can add: If they don't, you can force them by redirecting their dns packets (port 53) to your server (currently possible only for IPv4, the IPv6 ones you can only drop, that's probably safe for now). Not exactly nice thing to do, but it works.

But be prepared, that just a little advanced users know about hosts file and will get around this kind of blocking quite easily.

Simply try blocking 443/TCP to
66.220.144.0-66.220.159.255
69.63.176.0-69.63.191.255
204.15.20.0-204.15.23.255
IP addresses

is there still no solution for the "https" facebook block from the latest version of ROS ???

The way we do this is to use a layer 7 regular expression to block any url with facebook in it.

First make layer 7 protocol with this as the value:

^.*(facebook).*$

Then make a firewall rule to drop that layer 7 protocol.

This can be very harsh and even prevent you resolving and pinging facebook as well as browsing by http and https. So think carefully about your rule.

Effectively what this regex is doing is matching any fqdn and url with facebook in it.

We often then put this rule on a script which enables facebook outside of office ours and disables facebook during office hours.

I hope that helps.

Wow. Really old thread. Sorry i posted.....

hey thanks for the reply... but i am really wondering how come routeros firewall does not have a simple "https" blocking feature for its firewall which almost every other firewall in the market is giving.

why is so tedious to block https facebook from routeros?

Hello,

I think you may be confusing the term "firewall" with "UTM" or Unified Threat Management.

Mikrotik is not a UTM platform. For that you need to look at Checkpoint UTM, Untangle or the like.

Personally I dont think that making a layer7 protocol and firewall rule difficult of tedious. Actually I can do it faster on a Mikrotik than on a Cisco ASA.

Alex

So, to show how easy it is really here is the setup in full:

First the Layer & Protocol:
/ip firewall layer7-protocol add name=Facebook_URL regexp="^.*(facebook).*\$"

Then the Firewall Rule:
/ip firewall filter add chain=forward comment="Block Facebook" layer7-protocol=facebook_url

That will block all and any layer7 traffic to any domain that has facebook in it before the TLD.

Change the firewall filter rule to suit exactly what you want to block.

As I said before, these days simply blocking HTTPS facebook is not enough. Many of my client want to allow facebook but block certain parts of it such as games and apps. For this you need UTM.

Alex

with the power of RouterOS i am sure Mikrotik hardware can be made into a UTM....

but how and how?? is the question.

let's leave it for Normis to answer

Long Live Mikrotik!!!

So there is no answer from Normis yet?

Normis will... he is the GOD of Mikrotik... and GOD take their time to reply to their devotees... keep faith in Normis and Mikrotik

I am not sure this is possible. HTTPS is encrypted for a reason.

It is pretty easy actually :

DO NOT use transparent proxy. If you setup the proxy in your web browser, you can deny/allow any http or https traffic. This is not possible with transparent proxy.
Yes you will have to MAKE your customers use the proxy

i hope this can help

add action=drop chain=forward comment=Youtube content=www.youtube.com disabled=\
no dst-port=80,443 protocol=tcp src-address=192.168.10.100-192.168.10.200

i succes with that setting to drop http and https youtube
if you want to block facebook, you just change content=www.facebook.com
src-address=(give with your target network address range)

if any mistake or question just replay this message


best regard
rusly12
if you want to discus just send message to ruslyali@yahoo.com

i have try with ip address on firewall
i input many ip but filter didn't work yet

so i try to configure with that setting on my Mikrotik

I try this, that was work for me.
http://aacable.wordpress.com/2014/02/11 ... ress-list/

Hi Guys,
just wanted to make a little contribution about HTTPS blocking.
Nowdays, you have two ways of blocking traffic in HTTPS:

- Man in the middle attack and see HTTPS traffic as clear.

- Alternates ways of detecting or maybe guessing is a better term of what a user is doing.

I'd like to talk about the second one.

Why does the MK's L7 filter works on HTTPS if the traffic is encrypted? If all the traffic passes through the MK, maybe you are actually filtering the DNS query (you can do this or something similar like that last great link about adding to address lists all DNS queries that contains facebook).

But what about if the DNS traffic doesn't pass through my MK router? Well, if it works, it's because of a TLS extension used nowadays called SNI (http://es.wikipedia.org/wiki/Server_Name_Indication) is matching our L7 filter. This is THE WAY to block HTTPS by URL. It's great and doesn't makes false positives, because you cant block a google search that says "who is the owner of facebook.com", because that traffic is already encrypted, and you just block the domain name that the user connected to.
Some big name UTM manufacturers use this to block HTTPS.

But what about blocking FarmVille inside Facebook? You just need a couple of pcap captures to see it, you can guess what a user is doing by looking it's traffic, not the encrypted part, but all headers. All applications have behavior profiles that can be guessed with good confidence, and in the end of the day (not a day actually, this takes a LOT of time to do and mantain.... ) have a happy HTTPS firewall.......and have LOTS OF FUN TOO!!!!

Well, just wanted to make this little contribution. If anyone wants any of this topics explained further, just ask.

Best regards!

Jorge.

The initial GET/POST query from client to server is not encrypted even in https so this works like a charm :
Working flawlessly in a client's corporate network.