Firewall Filter Restriction
Hi, i block facebook on firewall layer7 protocol "^.+(facebook.com).*$"; but firewall block "facebook.com" from my personal domain page, even i cant send mail to abc.user@facebook.com from my webmail. please help...
Re: Firewall Filter Restriction
Yes, this is why L7 rules are not meant for webpage blocking.
Re: Firewall Filter Restriction
so... how can i block https?Yes, this is why L7 rules are not meant for webpage blocking.
Re: Firewall Filter Restriction
Hi,
would you be kind enough to elaborate what do you want to achieve ?
kind regards,
would you be kind enough to elaborate what do you want to achieve ?
kind regards,
Re: Firewall Filter Restriction
He wants to block HTTPS Facebook. I suggest blocking by DNS name.
Re: Firewall Filter Restriction
Create a DNS name like:
Or to an IP with web server and block page.
It's a solution instead of layer 7, like normis said.
Sent from my XT1225 using Tapatalk
Code: Select all
/ip dns static add name=www.facebook.com address=127.0.0.1It's a solution instead of layer 7, like normis said.
Sent from my XT1225 using Tapatalk
Re: Firewall Filter Restriction
OK, I create DNS name, but how to block facebook.com? can I need firewall rule?, if so how to make firewall rules. pl details............Create a DNS name like:Or to an IP with web server and block page.Code: Select all/ip dns static add name=www.facebook.com address=127.0.0.1
It's a solution instead of layer 7, like normis said.
Sent from my XT1225 using Tapatalk
Re: Firewall Filter Restriction
The only way to block facebook.com, block on BGP the prefix with AS32934...
Re: Firewall Filter Restriction
No you can't: can be used one proxy like 2.3.4.5 on brasil for access!The only way to block facebook.com, block on BGP the prefix with AS32934...
Re: Firewall Filter Restriction
No, you can not use one proxy for HTTPS pages! Facebook is near all httpsNo you can't: can be used one proxy like 2.3.4.5 on brasil for access!The only way to block facebook.com, block on BGP the prefix with AS32934...
Re: Firewall Filter Restriction
Ok, I'm not mad, is how usually this type of tread go..... 
Re: Firewall Filter Restriction
If you need block facebook "for dummies" block both facebook.com and http://www.facebook.com and other variants.....
But the user can still change the DNS on the machine,
also some programs change the DNS arbitrally.........
you must force on the NAT the routerboard to be the DNS server,
but you go fastly under DNS DDoS or similar, you need to protect routerboard DNS form "WAN" or you connection go out of service after 5mins....
But the user can still change the DNS on the machine,
also some programs change the DNS arbitrally.........
you must force on the NAT the routerboard to be the DNS server,
but you go fastly under DNS DDoS or similar, you need to protect routerboard DNS form "WAN" or you connection go out of service after 5mins....
Re: Firewall Filter Restriction
OK, I create DNS name, but how to block facebook.com? can I need firewall rule?, if so how to make firewall rules. pl details............Create a DNS name like:Or to an IP with web server and block page.Code: Select all/ip dns static add name=www.facebook.com address=127.0.0.1
It's a solution instead of layer 7, like normis said.
Sent from my XT1225 using Tapatalk
Code: Select all
/ip firewall nat add chain=dst-nat protocol=udp dst-port=53 in-interface=$YOUR_LAN action=redirect to-ports=53Code: Select all
/ip firewall nat add chain=dst-nat protocol=udp dst-port=53 in-interface=$YOUR_LAN action=redirect to-ports=53 src-address-list=!no-blockProtect your routerboard from attacks in UDP/53 port on WAN!
Re: Firewall Filter Restriction
For protect:
Code: Select all
/interface list
add name=internet comment="List of WAN"
/interface list member
add interface=ether1 list=internet comment="WAN 1"
add interface=ether2 list=internet comment="WAN 2"
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface-list=internet protocol=tcp connection-state=new comment="TCP DNS Protection"
add action=drop chain=input dst-port=53 in-interface-list=internet protocol=udp connection-state=new comment="UDP DNS Protection"
add action=drop chain=forward dst-address-list=internal_public_IP dst-port=53 protocol=tcp in-interface-list=internet connection-state=new comment="Other Public IP protection used inside LAN"
add action=drop chain=forward dst-address-list=internal_public_IP dst-port=53 protocol=udp in-interface-list=internet connection-state=new
/ip firewall nat
add action=dst-nat chain=dstnat dst-addresses=!192.168.88.1 src-address-list=!do_not_redirect_DNS dst-address-list=!do_not_block_this_DNS dst-port=53 protocol=tcp to-addresses=192.168.88.1 to-ports=53 comment="DNS Redirect"
add action=dst-nat chain=dstnat dst-addresses=!192.168.88.1 src-address-list=!do_not_redirect_DNS dst-address-list=!do_not_block_this_DNS dst-port=53 protocol=udp to-addresses=192.168.88.1 to-ports=53
/ip firewall address-list
add address=192.175.48.1 comment=prisoner.iana.org list=do_not_block_this_DNS
add address=192.175.48.6 comment=blackhole-1.iana.org list=do_not_block_this_DNS
add address=192.175.48.42 comment=blackhole-2.iana.org list=do_not_block_this_DNS
add address=192.168.88.1 comment=Router list=do_not_redirect_DNS
Re: Firewall Filter Restriction
Hi, I did this redirecting facebook requests to my web server 192.168.0.3 (IIS)Create a DNS name like:Or to an IP with web server and block page.Code: Select all/ip dns static add name=www.facebook.com address=127.0.0.1
It's a solution instead of layer 7, like normis said.
Sent from my XT1225 using Tapatalk
With IE all fine as when you write http://www.facebook.com it requests http://www.facebook.com and shows my warning webpage hosted in my webserver
but in chrome it redirects to https://www.facebook.com and there it shows an error (page cannot be displayed)
Same with http://www.youtube.com and https://www.youtube.com for instance
How can I make Routeros to always redirect to http and not https so that everytime a client asks for facebook.com from any browser it shows my warning webpage?
Re: Firewall Filter Restriction
using regexp instead ?
Code: Select all
/ip dns static add regexp=.facebook.com address=127.0.0.1Who is online
Users browsing this forum: vomus and 48 guests