hi,
can i block global words like "porn" or other via firewall ?
i don´t want customers get stuff like this over hotspot ..
kind regards
gerd
-
-
gtrappmann
Frequent Visitor
- Posts: 67
- Joined:
- Location: germany
- Contact:
Have a look at http://www.scrubit.com this site provides a public DNS service where malicious and porn sites are automatically blocked.
This doesn't stop someone going to a site if they know the IP address, but it makes it much more difficult to find out the IP address in the first place.
Enter these servers in your DHCP server and also add redirection rules for port 53 to ensure anyone trying to enter static DNS addresses are caught.
You can then add specific rules if there are certain individuals that want uncensored Internet access.
Regards
Chris Macneill
This doesn't stop someone going to a site if they know the IP address, but it makes it much more difficult to find out the IP address in the first place.
Enter these servers in your DHCP server and also add redirection rules for port 53 to ensure anyone trying to enter static DNS addresses are caught.
You can then add specific rules if there are certain individuals that want uncensored Internet access.
Regards
Chris Macneill
For me, pls do not burden a lot of address-list for porn-site, will make your M/T ROS getting slow. Using another solution like from http://www.iss.net or alike solutions(s).
ScrubIT does not work with the MT proxy for some reason (yet)..
My guess is a time out issue.. or passably a non standard return..
A "Coolness" would be the ability to look at the dst address, do a reverse lookup via ScrubIT (as well as the std forward) and if th address comes back as a blocked site, then add it to a blocked address list...
I would guess that would get us to about 85 - 90 percent of the CRA9 out of the net..
Craig
My guess is a time out issue.. or passably a non standard return..
A "Coolness" would be the ability to look at the dst address, do a reverse lookup via ScrubIT (as well as the std forward) and if th address comes back as a blocked site, then add it to a blocked address list...
I would guess that would get us to about 85 - 90 percent of the CRA9 out of the net..
Craig
[quote]redirection rules for port 53[/code]
what if I have like 1000 clients and their PC's r configured static IP,GW and DNS.
how to redirect their DNS settings to a specific DNS SErver (SCRUB IT) or any other DNS Server (Cache only DNS Server). hope you got my point?
another problem that the built-in cache dns on mikrotik is filled up after few hours of flushing the cache. So I need a rule to forward/redirect any DNS request to a seperate cache only server (BIND or DNSMASQ).
which one do you prefer DNSMASQ as a cache only server for DNS requests or BIND9 ?
your help is highly appreciated
what if I have like 1000 clients and their PC's r configured static IP,GW and DNS.
how to redirect their DNS settings to a specific DNS SErver (SCRUB IT) or any other DNS Server (Cache only DNS Server). hope you got my point?
another problem that the built-in cache dns on mikrotik is filled up after few hours of flushing the cache. So I need a rule to forward/redirect any DNS request to a seperate cache only server (BIND or DNSMASQ).
which one do you prefer DNSMASQ as a cache only server for DNS requests or BIND9 ?
your help is highly appreciated
First You can not block porn sites using many words because we had many suffers from using these rules but the best idea is to make blocked-list for ips or for domains and sub domains using web-proxy but what if we have many rules for about more than 3000 rules then we are out of memory / cpu ... so the best solution that i can get is to try Scrubit .
Also we had to force users to use our dns servers andmake sure that users are not putting new proxies outside ...
Finally I agree with csickles's answer .
Ghassan
Also we had to force users to use our dns servers andmake sure that users are not putting new proxies outside ...
Finally I agree with csickles's answer .
Ghassan
Last edited by Ghassan on Fri May 18, 2007 2:19 am, edited 1 time in total.
Dnsmasq is especially suited for small networks that share a single Internet connection, behind a NAT firewall.
You probably wouldn't want to use it to power an ISP, but then this article isn't aimed at gigantic mondo users with complex needs anyway: Think branch office.
for BIND, the only reason i know why to use bind atm is because i know it can handle its own names, (eg: ns1.mydomain, mail.mydomain, www etc)
I also know that DNSmasq handles DHCP aswell, but it wont do the above names..
We found a better solution for MT DNS but I preffer to use ScrubIt
Ghassan
You probably wouldn't want to use it to power an ISP, but then this article isn't aimed at gigantic mondo users with complex needs anyway: Think branch office.
for BIND, the only reason i know why to use bind atm is because i know it can handle its own names, (eg: ns1.mydomain, mail.mydomain, www etc)
I also know that DNSmasq handles DHCP aswell, but it wont do the above names..
We found a better solution for MT DNS but I preffer to use ScrubIt
Ghassan
Mikrotik RouterOS transparent web-proxy without caching.
Only thing thats necessary is to create an access-list and drop all sites with typical words in them - you will need to addjust the list for some time, but it works like a charm
do you mean that if we create access-list at web-proxy .. or from address-lists ??
Access-list at werproxyMikrotik RouterOS transparent web-proxy without caching.
Only thing thats necessary is to create an access-list and drop all sites with typical words in them - you will need to addjust the list for some time, but it works like a charm
do you mean that if we create access-list at web-proxy .. or from address-lists ??
Just create rule to drop any address with xxx in ir (path= *xxx*) and then even google search for xxx will not work
We already had this before and it was not success because we had many complains about blocking many sites that have some unwanted words .Access-list at werproxy
Just create rule to drop any address with xxx in ir (path= *xxx*) and then even google search for xxx will not work
But I have for now about more than 3000 websites that are blocked at WebProxy Access but it is really increasing my CPU usage and it is not a problem for us .. the real thing is Webproxy will read all rules so it will decrease our MT performance so there might be a better idea .
Re: blog pornsites via firewall ?
please ghassan send me the list
Re: blog pornsites via firewall ?
I will give you all my results .
First I tried to add more than 8000 websites ( porn - ie.ads - spam - spywares ) at web-prroxy access list . we blocked about 8000 harmfull sites without any complains from our customers but the problem is CPU Usage with unstable percentage starting from 20 % up to 80 % ..
The next week I started to change my idea to get the best results by removing them from Web-Proxy and then adding a new rule which block the dst addresses list ( Content Filter ) then redirect it to our main Webserver that shows our customers The URL he istrying to access has been considered as unsafe or containing unappropriate content by Content Filtering System.
Finally our cpu usage get better and is stable again .
Ghassan.
First I tried to add more than 8000 websites ( porn - ie.ads - spam - spywares ) at web-prroxy access list . we blocked about 8000 harmfull sites without any complains from our customers but the problem is CPU Usage with unstable percentage starting from 20 % up to 80 % ..
The next week I started to change my idea to get the best results by removing them from Web-Proxy and then adding a new rule which block the dst addresses list ( Content Filter ) then redirect it to our main Webserver that shows our customers The URL he istrying to access has been considered as unsafe or containing unappropriate content by Content Filtering System.
Finally our cpu usage get better and is stable again .
Ghassan.
-
-
o_hawchar86
Frequent Visitor
- Posts: 67
- Joined:
Re: blog pornsites via firewall ?
Ghassan Can u send me the list plz
Thanks Salaf.
Thanks Salaf.
Re: blog pornsites via firewall ?
It may be easier idea to make HotSpot users DNS redirect to OpenDNS, where they have "adult filter" which claims to block over 4M domains:
http://www.opendns.com/features/adult/
http://www.opendns.com/features/adult/
Re: blog pornsites via firewall ?
I second the comment above, opendns works fine and is easy to implement
Re: blog pornsites via firewall ?
You can get a long list of domains wich you can block trough firewall, but it won't be effective.
I imported on x86 with 128 ram about 400.000 sites, and the firewall just won't pass any traffic trough it.
Tried with proxy, and names to block, but also very hard work to do for the hardware......
If you care so much, do make yourself a dns server, put everything that goes up from your network to ask it for dns resolution ( even by redirecting customers trough it) and put bogon ip's (you could put 127.0.0.1 for example) for a list that you can find on the net, and complete yourself with "new" items.
You might, just _might_ do better this way. In terms of speed, for shure you would be best this way. The DNS machine would be secure and happy if it would not be doing anything else.
( Of course, some % of your users, just won't be happy till they get their porn.....
)
I imported on x86 with 128 ram about 400.000 sites, and the firewall just won't pass any traffic trough it.
Tried with proxy, and names to block, but also very hard work to do for the hardware......
If you care so much, do make yourself a dns server, put everything that goes up from your network to ask it for dns resolution ( even by redirecting customers trough it) and put bogon ip's (you could put 127.0.0.1 for example) for a list that you can find on the net, and complete yourself with "new" items.
You might, just _might_ do better this way. In terms of speed, for shure you would be best this way. The DNS machine would be secure and happy if it would not be doing anything else.
( Of course, some % of your users, just won't be happy till they get their porn.....
)
Re: blog pornsites via firewall ?
Check the firewall option name 'content'
you could use it to match every packets passing your mikrotik with the porn words you need to block.
Or use layer-7-filtering
you could use it to match every packets passing your mikrotik with the porn words you need to block.
Or use layer-7-filtering
Who is online
Users browsing this forum: No registered users and 23 guests