For example, I’ll take the Juniper MX204 router and show an example of blocking sites by IP addresses or networks.
First, let’s create a list of IP addresses or networks to which access needs to be blocked:
set policy-options prefix-list blacklist-ip 192.168.5.5/32
set policy-options prefix-list blacklist-ip 192.168.15.0/24
Now let’s create a filter in the firewall with this list:
set firewall family inet filter blacklist-ip-drop interface-specific
set firewall family inet filter blacklist-ip-drop term drop from destination-prefix-list blacklist-ip
set firewall family inet filter blacklist-ip-drop term drop then discard
set firewall family inet filter blacklist-ip-drop term other then accept
A ready-made filter can be applied to the desired interface or interfaces, for example uplink or towards clients:
set interfaces ae0 unit 777 family inet filter output blacklist-ip-drop
set interfaces ae0 unit 876 family inet filter output blacklist-ip-drop
If any filter is already used on the interface, then we will edit it by adding two “term drop” rules at the beginning, the last rule must be accept, since we allow all other traffic with it, the interface-specific rule is necessary since the filter will probably be apply to more than one interface. On EX series switches, the filter must be applied to the local interface.
Apply the changes with a comment:
commit comment "filter blacklist-ip-drop ixnfo.com"
See also my articles:
- How to set up RPZ in Bind9 (site blocking)
- Blocking social networks using iptables
- Blocking social networks on Cisco
- Blocking social networks on Mikrotik routers