Zkusim to trosku podrobneji, snad Vam to pomuze:Situace:Virtual PC 1: 10.0.0.254 - pripojeno do VirtualBox Network, default GW 10.0.0.1 (VirtualBox Mikrotik)Virtual PC 2: 10.0.0.253 - pripojeno do VirtualBox Network, default GW 10.0.0.1 (VirtualBox Mikrotik)Mikrotik: ether1: 192.168.2.156 (WAN) ether2: 10.0.0.1 (LAN = VirtulBox Network)Na Mikrotiku provedena konfigurace:Zapnut DHCP Client na Ether 1.Zapnut DHCP Server na Ether 2.Nastavena maskarada, nastavena adresa 10.0.0.1 a dhcp server na ether2 nastaveno nekolik zakladnich pravidel firewalluaktualni firewall:/ip firewall filteradd action=drop chain=input comment="Drop Invalid connections" \ connection-state=invalidadd chain=input comment="Allow Established connections" connection-state=\ establishedadd chain=input comment="Allow ICMP" protocol=icmpadd chain=input in-interface=!ether1 src-address=10.0.0.0/24add chain=input comment="Allow HOST" src-address=192.168.2.208add action=drop chain=input comment="Drop everything else"/ip firewall natadd action=masquerade chain=srcnat out-interface=ether1----------------facebook.com funguje, jdeme zkouset blokovani: 1. Vytvorime pravidlo pro facebook.com v layer7:/ip firewall layer7-protocol add name=facebook regexp=".*facebook\\.com"2. vytvorime pravidlo pro zahozeni facebooku z 10.0.0.2 - 10.0.0.254/ip firewall filter add action=drop chain=forward comment="No facebook allowed for 1-253" layer7-protocol=facebook src-address=10.0.0.2-10.0.0.253posuneme pravidlo hned na zacatek, aby se drive naplikovaly pravidla pro povoleni provozu:/ip firewall filter print #zjistime cislo pravidla#… v mem pripade cislo 6, a chci posunout na pozici 1:/ip firewall filter move numbers=6 destination=1STAV FIREWALLU:/ip firewall layer7-protocol add name=facebook regexp=".*facebook\\.com"/ip firewall filteradd action=drop chain=input comment="Drop Invalid connections" \ connection-state=invalidadd action=drop chain=forward comment="No facebook allowed for 1-253" \ layer7-protocol=facebook src-address=10.0.0.2-10.0.0.253add chain=input comment="Allow Established connections" connection-state=\ establishedadd chain=input comment="Allow ICMP" protocol=icmpadd chain=input in-interface=!ether1 src-address=10.0.0.0/24add chain=input src-address=192.168.2.208add action=drop chain=input comment="Drop everything else"/ip firewall natadd action=masquerade chain=srcnat out-interface=ether1test PC1 (10.0.0.254 => nespada do pravidla): ping facebook.comPING facebook.com (173.252.120.6) 56(84) bytes of data.64 bytes from edge-star-shv-12-frc3.facebook.com (173.252.120.6): icmp_seq=1 ttl=75 time=117 msve firefoxu facebook.com jedetest PC2(10.0.0.253 => spada do pravidla):ping facebook.comping: unknown host facebook.comve firefoxu: Server not found!!! netusim, jakou stranku se chystate blokovat, ale nezapomente, ze takto nastavene pravidlo utne kazde spojeni, kde se objevi retezec facebook.com (vasprovider.cz), v privnich 10ti paketech nebo 2kB (defaultni nastaveni pro Layer 7 v Mikrotiku) Ukázat celý příspěvek