Blocking FaceBook

CheckPoint:
Image.png

Cisco:

Cyberoam:

FortiNet:

Mikrotik:
Method 1: Using Mikrotik L7 firewall
/ip firewall layer7-protocol \
add name=socialmedia regexp=”^.+(facebook).*\$”

/ip firewall filter \
add action=drop chain=forward layer7-protocol=socialmedia out-interface=ether1-gateway
NOTE: Put firewall rule on top of the list
WEAKNESS:
can be bypassed by using Chrome Extension ZenMate

Method 2: Blocking facebook server ip manually
go to bgp.he.net
search facebook.com
click A record
click AS32934
click Prefixes v4

/ip firewall address-list
add address=31.13.24.0/21 comment=\
“Facebook IP Subnets from: http://bgp.he.net/AS32934#_prefixes” disabled=\
no list=Facebook
add address=31.13.64.0/18 disabled=no list=Facebook
add address=66.220.144.0/21 disabled=no list=Facebook
add address=69.63.176.0/20 disabled=no list=Facebook
add address=69.171.224.0/19 disabled=no list=Facebook
add address=74.119.76.0/22 disabled=no list=Facebook
add address=103.4.96.0/22 disabled=no list=Facebook
add address=173.252.64.0/18 disabled=no list=Facebook
add address=204.15.20.0/22 disabled=no list=Facebook
/ip firewall filter
add chain=forward action=log dst-address-list=Facebook log-prefix=”Facebook Traffic” disabled=no
add chain=forward action=drop dst-address-list=Facebook disabled=no
add chain=forward action=drop src-address-list=Facebook disabled=no

Method 3: OpenDNS
Source: http://www.phy2vir.com/configuring-mikrotik-to-use-opendns/
Create personal account in http://www.opendns.com

02-Oct 13.45.11

02-Oct 13.44.32

[admin@MikroTik] > /ip dhcp-client print
Flags: X – disabled, I – invalid
# INTERFACE USE ADD-DEFAULT-ROUTE STATUS ADDRESS
0 ;;; default configuration
ether1-gateway yes yes bound 10.0.0.105/24
[admin@MikroTik] > /ip dhcp-client set use-peer-dns=no 0
[admin@MikroTik] > /ip dhcp-client print
Flags: X – disabled, I – invalid
# INTERFACE USE ADD-DEFAULT-ROUTE STATUS ADDRESS
0 ;;; default configuration
ether1-gateway no yes bound 10.0.0.105/24
[admin@MikroTik] > ip dns set servers=208.67.222.220,208.67.222.222
/system script
add name=OpenDNS policy=read,test source=”#\r\
\n# Variables\r\
\n#\r\
\n:local openDNSUsername \”<email address>user@gmail.com\”\r\
\n:local openDNSPassword \”password\”\r\
\n:local openDNSHostname \”Home\”\r\
\n \r\
\n#\r\
\n# Script\r\
\n#\r\
\n/tool fetch url=\”https://updates.opendns.com/nic/update\?system=dyndns&hostname=\$openDNSHostname\” \\\r\
\n user=\”\$openDNSUsername\” password=\”\$openDNSPassword\” \\\r\
\n mode=https keep-result=no”

/system scheduler
add comment=”Update Open DNS Dynamic IP” disabled=no interval=1h name=”Update openDNS Account” on-event=OpenDNS policy=read,test start-date=jan/01/2014 start-time=00:00:00

Force / Redirect users to use your DNS
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=tcp dst-port=53
add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=udp dst-port=53

WEAKNESS:
-can be bypassed by using Chrome Extension ZenMate

PaloAlto:

SonicWall:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s