K
K
Kirill Kazakov2015-07-23 12:35:28
Shaping
Kirill Kazakov, 2015-07-23 12:35:28

How to prevent access to some sites via https in Routeros?

Now everything is blocked on port 80 for a list of ip addresses (in the local network), there is also a redirect for the same list to proxy, where certain sites are also cut. But if port 443 is added to the proxy redirect (for our ip list), then all http s are cut. I understand that this is due to the fact that you can not see the encrypted traffic and distinguish between the permitted url and the prohibited one.
Are there ways to filter 443 on mokrotik Router OS?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
E
efkot, 2015-07-23
@mausspb

no encrypted traffic you will not cut off either proxy or layer7
only ban by ip
like this ban
ip firewall layer7-protocol add name=block_site regexp="^.*(get|GET).+(odno(c|k)la( s|ss)niki|vk.com|ok.ru|vk.me).*\$"
for https is more difficult

/system script
add name=script1 policy=ftp,reboot,read,write,policy,test,password,sensitive \
    source=":foreach i in=[/ip dns cache all find where (name~\"odnokl\" || na\
    me~\"vk.com\" || name~\"vk.me\") && (type=\"A\") ] do={\r\
    \n:local tmpAddress [/ip dns cache get \$i address];\r\
    \ndelay delay-time=10ms\r\
    \n#prevent script from using all cpu time\r\
    \n:if ( [/ip firewall address-list find where address=\$tmpAddress] = \"\"\
    ) do={ \r\
    \n:local cacheName [/ip dns cache get \$i name] ;\r\
    \n:log info (\"added entry: \$cacheName \$tmpAddress\");\r\
    \n/ip firewall address-list add address=\$tmpAddress list=blockSS timeout=\
    12:00:00 comment=\$cacheName;\r\
    \n}\r\
    \n}"

ip firewall filter add action=reject chain=forward dst-address-list=blockSS in-interface="eth 1" protocol=tcp reject-with=tcp-reset

V
Vasily, 2021-06-03
@xnscripter

I raise the topic.
In RouterOS v6.48.3, the syntax has changed, it will work like this:

/system script add name=script_block policy=ftp,reboot,read,write,policy,test,password,sensitive source="
:foreach addr in=[/ip dns cache all find where (name~"vk.com" || name~"userapi.com" || name~"twitch.tv") && (type="A")] do={
  :local tmpAddress [/ip dns cache get $addr data];
  :delay 300ms;
  :if ([/ip firewall address-list find where address=$tmpAddress] = "") do={
    :local cacheName [/ip dns cache get $addr name];
    :log info "added entry: $cacheName $tmpAddress";
    /ip firewall address-list add address=$tmpAddress list=block timeout=24h comment=$cacheName;
  }
};"

/system scheduler add interval=10m name=schedule_block-sites on-event=script_block policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive

/ip firewall filter add action=reject chain=forward dst-address-list=block protocol=tcp reject-with=tcp-reset

In firewall filter - Src. Address List, you can add the name of the list of users with statics, to
whom we will block access.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question