How to close access to the Internet with exceptions?

2

20ivs2019-10-02 12:58:23

Mikrotik

20ivs, 2019-10-02 12:58:23

Welcome all!
What am I doing wrong?
It is necessary to close access to the Internet to one of subnets. For this I do:

ip firefall filter add chain=forward action=drop src-address=xx.yy.yy.0/24 
      dst-address-list=!XXXX out-interface=INET_INTERFACE

add to the address list:

ip firewall address-list add address=address.com list=XXXX

As a result, pings to addresses from the address_list go, but the pages do not open. It seems that this method worked before, if I do not confuse anything.
And yet, is it possible to specify a microt to the address of the sheet not xxx.yyy.com, but by the mask *.yyy.com? Only Layer7?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

I

Igor, 2019-10-02
@Lopar

/ip firewall address-list
add address=1.yyy.com list=allowed
add address=2.yyy.com list=allowed
/ip firewall filter
add action=reject chain=forward dst-address-list=!allowed protocol=tcp reject-with=tcp-reset src-address=%your_ip%
add action=drop chain=forward dst-address-list=!allowed protocol=udp src-address=%your_ip%

And raise the rules up.

R

rionnagel, 2019-10-02
@rionnagel

I misread what you wrote.
Forward acceptance to the white list is separate. Access to dns should be. Drop at the end. Do not use your example - too "well, that ...".