Follow us on...
Follow us on G+ Follow us on Twitter Follow us on Facebook Watch us on YouTube
Register
Results 1 to 11 of 11
  1. #1
    Status
    Offline
    w1z4rd's Avatar
    Newbie
    Join Date
    Jul 2007
    Posts
    54
    Reviews
    Read 0 Reviews
    Downloads
    4
    Uploads
    0
    Feedback Score
    0

    Question Block Facebook menggunakan Layer 7 dengan pengecualian IP

    Ditempat kerja, saya menerapkan akses hanya pada jam tertentu untuk akses Facebook dan Youtube. Awalnya semua dilakukan via external proxy, tetapi client makin pinter aja. karena FB sudah mendukung ssh (443), maka rules di external proxy bypass. Untuk itu kemarin saya bikin rules dimikrotik menggunakan Layer 7 yang settingannya sbb :

    # Layer 7 :
    Code:
    /ip firewall layer7-protocol print
         # NAME                                   REGEXP                                
         0 denied                                 ^.+(facebook|youtube).*$
    # Firewall Filter :
    Code:
    DROP_FB
             chain=forward action=drop dst-address-list=!kecuali layer7-protocol=denied
    # Address List :
    Code:
    kecuali                                      192.168.1.10
    #Script :
    Code:
    0   name="buka" owner="arman"
             policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,
               api
             last-started=feb/06/2012 07:16:40 run-count=5
             source=/ip firewall filter set [/ip firewall filter find comment="DROP_FB"]
               disable="yes"
    
    1   name="tutup" owner="arman"
             policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,
               api
             last-started=feb/06/2012 11:24:32 run-count=6
             source=/ip firewall filter set [/ip firewall filter find comment="DROP_FB"]
               disable="no"
    #Scheduler :
    Code:
    0   pagi     feb/05/2012 05:00:00     0s                   tutup               0
        1   siang     feb/05/2012 13:00:00     0s                   buka                1

    Semua berjalan sesuai skenario, FB dan youtube gak bisa diakses selama jam kerja, kecuali diatas jam 13.00. Masalahnya adalah IP yang kita inginkan tidak terkena rules tersebut (192.168.1.10) <--- address list "kecuali" TETAP kena juga.

    Mohon Pencerahannya rekan-rekan gimana caranya agar ip tertentu tidak kena aturan tersebut, makasih sebelumnya

  2. #2
    Status
    Offline
    yogii's Avatar
    Member Senior
    Join Date
    Jun 2010
    Location
    Batam - Indonesia
    Posts
    416
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    1
    Feedback Score
    0
    dst-add-list ganti dengan src-add-list=!kecuali. apa bisa?

  3. #3
    Status
    Offline
    w1z4rd's Avatar
    Newbie
    Join Date
    Jul 2007
    Posts
    54
    Reviews
    Read 0 Reviews
    Downloads
    4
    Uploads
    0
    Feedback Score
    0
    Tetap gak bisa mas Bro, jadi bingung nih Click here to enlarge

  4. #4
    Status
    Offline
    brutuz_1's Avatar
    VIP Member
    Join Date
    Feb 2010
    Posts
    790
    Reviews
    Read 0 Reviews
    Downloads
    3
    Uploads
    0
    Feedback Score
    0
    kayak nya rule ini deh yg kurang tepat..
    Code:
    DROP_FB
             chain=forward action=drop dst-address-list=!kecuali layer7-protocol=denied
    betul yg dikatakan agan yogii tadi mesti di ganti sama src-adress=!kecuali,
    mungkin bisa restart dulu mt nya...??? (biasanya sih gk perlu restart MT, tapi siapa tau bisa work...Click here to enlarge)

  5. #5
    Status
    Offline
    yogii's Avatar
    Member Senior
    Join Date
    Jun 2010
    Location
    Batam - Indonesia
    Posts
    416
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    1
    Feedback Score
    0
    coba yg ini gan
    Code:
    chain=forward action=drop protocol=tcp dst-port=80 src-address-list=!kecuali layer7-protocol=denied

  6. The Following User Says Thank You to yogii For This Useful Post:


  7. #6
    Status
    Offline
    pos_ronda's Avatar
    VIP Member
    Join Date
    Aug 2009
    Location
    Sleman, Indonesia
    Posts
    887
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    secara tehnis ada berbagai cara di mikrotik. nah, kalau usernya udah kenal TOR / ultrasuft, atau tehnik anonim lainnya, gimana coba?
    pendekatan personal juga diperlukan... kalau masih ngeyel biasanya langsung saya tempel username dan sebagian password facebook di dekat mesin absensi.

  8. The Following User Says Thank You to pos_ronda For This Useful Post:


  9. #7
    Status
    Offline
    w1z4rd's Avatar
    Newbie
    Join Date
    Jul 2007
    Posts
    54
    Reviews
    Read 0 Reviews
    Downloads
    4
    Uploads
    0
    Feedback Score
    0
    @yogii : makasih banget infonya kang, cuman ini user ngaksesnya via https (port 443), kalo port 80 udah bisa diblokir via external proxy
    @pos_ronda : ini lah tantangannya kang, user makin pinter sekarang, berbagai tutor untuk jalan tembus udah mudah didapat. Btw..., boleh juga usulannya kang sekalian pengumuman Click here to enlarge

  10. #8
    Status
    Offline
    yogii's Avatar
    Member Senior
    Join Date
    Jun 2010
    Location
    Batam - Indonesia
    Posts
    416
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    1
    Feedback Score
    0
    Click here to enlarge Originally Posted by w1z4rd Click here to enlarge
    @yogii : makasih banget infonya kang, cuman ini user ngaksesnya via https (port 443), kalo port 80 udah bisa diblokir via external proxy
    @pos_ronda : ini lah tantangannya kang, user makin pinter sekarang, berbagai tutor untuk jalan tembus udah mudah didapat. Btw..., boleh juga usulannya kang sekalian pengumuman Click here to enlarge
    tombol makasih ada dibawah Click here to enlarge.

    coba port 80 ganti dgn 443, bisa ga?

  11. #9
    Status
    Offline
    pos_ronda's Avatar
    VIP Member
    Join Date
    Aug 2009
    Location
    Sleman, Indonesia
    Posts
    887
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by w1z4rd Click here to enlarge
    @yogii : makasih banget infonya kang, cuman ini user ngaksesnya via https (port 443), kalo port 80 udah bisa diblokir via external proxy
    @pos_ronda : ini lah tantangannya kang, user makin pinter sekarang, berbagai tutor untuk jalan tembus udah mudah didapat. Btw..., boleh juga usulannya kang sekalian pengumuman Click here to enlarge
    di filter dipecah jadi dua saja
    tempatkan rule baru sebelum DROP_FB
    Code:
             chain=forward action=accept src-address=192.168.1.10 layer7-protocol=denied        
    DROP_FB
             chain=forward action=drop layer7-protocol=denied

  12. #10
    Status
    Offline
    iamspa's Avatar
    Member Super Senior
    Join Date
    Jan 2010
    Location
    MEDAN DONK AH....
    Posts
    685
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    pake proxy kan gan....

    chain=forward action=drop dst-address-list=!kecuali in-interface=proxy out-interface=lokal

  13. #11
    Status
    Offline
    lorenzo's Avatar
    Baru Gabung
    Join Date
    Mar 2008
    Posts
    3
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    coba gunakan ini gan...
    /ip firewall filter add chain=forward action=drop dst-address-list=!kecuali src-address-list=!kecuali layer7-protocol=denied

 

 

Thread Information

Users Browsing this Thread

There are currently 2 users browsing this thread. (0 members and 2 guests)

Similar Threads

  1. block facebook
    By martinus in forum General Networking
    Replies: 57
    Last Post: 24-01-2011, 13:54
  2. Block facebook dengan HTTP Header
    By awarmanf in forum General Networking
    Replies: 6
    Last Post: 09-12-2010, 20:05
  3. block facebook pake mikrotik paling ampuh......
    By agso in forum General Networking
    Replies: 21
    Last Post: 15-08-2010, 19:01
  4. [ASk] Antrian/queue ada di layer brp dalam OSI layer?
    By princess in forum General Networking
    Replies: 1
    Last Post: 28-02-2010, 23:54
  5. Blocking P2P dengan layer 7
    By hakeem in forum General Networking
    Replies: 7
    Last Post: 20-12-2009, 11:34

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •