Filter Lists

tadpole · Mon Oct 13, 2014 9:19 am

Hi all,
I have setup a simple filter list to drop access to facebook, youtube etc... using content filtering.
Is it possible to allow an IP or three through these filtering rules?

chain=forward action=drop content=facebook log=no log-prefix=""

Is this an acceptable way of doing this?

 chain=forward action=accept dst-address-list=allowed log=no log-prefix=""

I have tried adding the IP i would like to allow to an address list and moving the filter rule to allow access for the IP higher up in the filter rules list but still i cant get it right ;/
Did i make a fatally beginner mistake here?

I realised i wasnt thinking correctly with trying to drop p2p connections, instead of marking and trying to route it somewhere a filter rule should handle it fine.

chain=forward action=drop p2p=all-p2p log=no log-prefix="

rickfrey · Mon Oct 13, 2014 7:27 pm

Can you post your whole firewall?

SystemErrorMessage · Tue Oct 14, 2014 10:44 am

when configuring the firewall you can exclude an address by adding another field and using '!'. for example to drop all packets except from 192.168.88.1 you would set the ip in the field to be !192.168.88.1. the '!' means to exclude. If you are using web/winbox just check the box before the field.

tadpole · Wed Oct 15, 2014 7:33 am

Thank you SystemErrorMessage!!! I didnt know that the "!" was for, i made an address list and added the IP in the list and just added them to the filter rule but as you said i excluded and voila!

thank you

tadpole · Wed Oct 15, 2014 4:48 pm

/ip firewall layer7-protocol
add name=rtmp regexp="^\\x03.+\\x14.+\\x02.+\\x07.(connect)\?.+(app)\?"

And

/ip firewall filter
add action=drop chain=forward comment=DropRTMP dst-address-list=!unrestricted \
    in-interface=ether1 layer7-protocol=rtmp src-address-list=!unrestricted
add action=drop chain=forward comment=DropFB content=facebook \
    dst-address-list=!unrestricted src-address-list=!unrestricted
add action=drop chain=forward comment=DropFB content=mnet dst-address-list=\
    !unrestricted src-address-list=!unrestricted
add action=drop chain=forward comment="Drop SuperSport" content=supersport \
    dst-address-list=!unrestricted src-address-list=!unrestricted
add action=drop chain=forward comment="Drop Twitter" content=twitter \
    dst-address-list=!unrestricted src-address-list=!unrestricted
add action=drop chain=forward comment="Drop Youtube" content=youtube \
    dst-address-list=!unrestricted src-address-list=!unrestricted
add action=drop chain=forward comment="Drop Pinterest" content=pinterest \
    dst-address-list=!unrestricted src-address-list=!unrestricted
add action=drop chain=forward comment="Drop DSTv" content=dstv \
    dst-address-list=!unrestricted src-address-list=!unrestricted
add action=drop chain=forward comment="Drop ECR" content=ecr \
    dst-address-list=!unrestricted src-address-list=!unrestricted
add action=drop chain=forward comment=DropUkhozi content=ukhozi \
    dst-address-list=!unrestricted src-address-list=!unrestricted
add action=drop chain=forward comment=Drop5fm content=5fm dst-address-list=\
    !unrestricted src-address-list=!unrestricted
add action=drop chain=forward comment="Drop p2p" p2p=all-p2p

Thats what i am using and it seems to work pretty well

Filter Lists

Filter Lists

Re: Filter Lists

Re: Filter Lists

Re: Filter Lists

Re: Filter Lists