Tag : routeros

/system script
#CREATE DOWNLOAD BLACKLIST SCRIPT
add comment=Firewall name=Blacklist_SquidBlacklist_Download_drop.bogons.rsc policy=read,test source=”:log warning \”START – Download bogons list (sbl-bogons.rsc) updates.\”;\r\
\n/tool fetch address=www.squidblacklist.org host=www.squidblacklist.org mode=http src-path=/downloads/sbl-bogons.rsc dst-path=/disk1/blacklists/sbl-bogons.rsc\r\
\n:log warning \”END – Download bogons list (sbl-bogons.rsc) updates.\”;”

#CREATE IMPORT BLACKLIST SCRIPT
add comment=Firewall name=Blacklist_SquidBlacklist_Import_drop.bogons.rsc policy=read,write source=”:log warning \”START – Import blacklist (sbl-bogons.rsc) update.\”;\r\
\nimport /disk1/blacklists/sbl-bogons.rsc\r\
\n:log warning \”END – Import blacklist (sbl-bogons.rsc) update.\”;”

/system scheduler
#CREATE DOWNLOAD BLACKLISTS SCHEDULER
add comment=Firewall interval=1d name=Blacklist_SquidBlacklist_Download_drop.bogons.rsc on-event=”/system script run Blacklist_SquidBlacklist_Download_drop.bogons.rsc” policy=read,write start-date=jan/01/2017 start-time=02:00:00 disabled=yes

#CREATE IMPORT BLACKLISTS SCHEDULER
add comment=Firewall interval=1d name=Blacklist_SquidBlacklist_Import_Import_drop.bogons.rsc on-event=”/system script run Blacklist_SquidBlacklist_Import_drop.bogons.rsc” policy=read,write start-date=jan/01/2017 start-time=02:15:00 disabled=yes

/ip firewall filter
#CREATE DROP RULES FOR BLACKLISTS
add action=drop chain=forward src-address-list=”sbl bogons” log=yes log-prefix=”BL_sbl blocklist.de” comment=”Squild Blacklist: SBL Bogons.”

If you need help with your Mikrotik router go to wisp.net.au for all the latest gear and knowledge.

Author: 3 months ago

New way to match websites in RouterOS’s firewall

Since most of the internet now uses https, it has become much harder to filter specific web content. For this
reason, RouterOS 6.41 introduces a new firewall matcher which allows you to block https websites (TLS traffic)
based on the TLS SNI extension, called “TLS-HOST”. The new parameter supports glob-style patterns, which
should be enough for whatever you’re trying to match.
For example, to block example.com, you would use a rule like this:
/ip firewall filter add chain=forward dst-port=443 protocol=tcp tls-host=*.example.com action=reject

Author: 7 months ago