Manual:IP/Firewall/L7: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
No edit summary
 
No edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 4: Line 4:


==Summary==
==Summary==
<p>
<p>'''layer7-protocol''' is a method of searching for patterns in ICMP/TCP/UDP streams.</p>
'''layer7-protocol''' is a method of searching for patterns in ICMP/TCP/UDP streams.
</p>


{{ Note | The L7 matcher is very resource intensive. Use this feature only for very specific traffic. It is not recommended to use L7 matcher for generic traffic, such as for blocking webpages. This will almost never work correctly and your device will exhaust it's resources, trying to catch all the traffic. Use other features to block webpages by URL}}


L7 matcher collects the first <b>10 packets</b> of a connection or the first <b>2KB</b> of a connection and searches for the pattern in the collected data. If the pattern is not found in the collected data, the matcher stops inspecting further. Allocated memory is freed and the protocol is considered as <b>unknown</b>.  You should take into account that a lot of connections will significantly increase memory and CPU usage. To avoid this, add regular firewall matchers to reduce amount of data passed to layer-7 filters repeatedly.
L7 matcher collects the first <b>10 packets</b> of a connection or the first <b>2KB</b> of a connection and searches for the pattern in the collected data. If the pattern is not found in the collected data, the matcher stops inspecting further. Allocated memory is freed and the protocol is considered as <b>unknown</b>.  You should take into account that a lot of connections will significantly increase memory and CPU usage. To avoid this, add regular firewall matchers to reduce amount of data passed to layer-7 filters repeatedly.
Line 15: Line 14:
Example L7 patterns compatible with RouterOS can found in [http://l7-filter.sourceforge.net/protocols  l7-filter project page]. <br />
Example L7 patterns compatible with RouterOS can found in [http://l7-filter.sourceforge.net/protocols  l7-filter project page]. <br />


You can also download a script with a list of common protocols [http://www.mikrotik.com/download/l7-protos.rsc here] (only for RouterOS v3), just run Import command with this file.
List of common protocols [http://www.mikrotik.com/download/share/l7_protocols_may_2009.zip here]. Open the archive and find the required protocol or file pattern and use them in your L7 filter rules.  


{{ Warning | In some cases when layer 7 regular expression cannot be performed, RotuerOS will log ''topic<nowiki>=</nowiki>firewall, warning'' with an error message stating the problem in the message}}
{{ Warning | In some cases when layer 7 regular expression cannot be performed, RotuerOS will log ''topic<nowiki>=</nowiki>firewall, warning'' with an error message stating the problem in the message}}
Line 98: Line 97:
</pre>
</pre>


{{Note | When user is logged in youtube will use HTTPS, meaning that L7 will not be able to much this traffic. Only unencrypted HTTP can be matched.}}
{{Note | When user is logged in youtube will use HTTPS, meaning that L7 will not be able to match this traffic. Only unencrypted HTTP can be matched.}}


{{Cont}}
{{Cont}}

Latest revision as of 09:12, 1 June 2016

Applies to RouterOS: v3, v4 +

Summary

layer7-protocol is a method of searching for patterns in ICMP/TCP/UDP streams.

Note: The L7 matcher is very resource intensive. Use this feature only for very specific traffic. It is not recommended to use L7 matcher for generic traffic, such as for blocking webpages. This will almost never work correctly and your device will exhaust it's resources, trying to catch all the traffic. Use other features to block webpages by URL


L7 matcher collects the first 10 packets of a connection or the first 2KB of a connection and searches for the pattern in the collected data. If the pattern is not found in the collected data, the matcher stops inspecting further. Allocated memory is freed and the protocol is considered as unknown. You should take into account that a lot of connections will significantly increase memory and CPU usage. To avoid this, add regular firewall matchers to reduce amount of data passed to layer-7 filters repeatedly.

Additional requirement is that layer7 matcher must see both directions of traffic (incoming and outgoing). To satisfy this requirement l7 rules should be set in forward chain. If rule is set in input/prerouting chain then the same rule must be also set in output/postrouting chain, otherwise the collected data may not be complete resulting in an incorrectly matched pattern.

Example L7 patterns compatible with RouterOS can found in l7-filter project page.

List of common protocols here. Open the archive and find the required protocol or file pattern and use them in your L7 filter rules.

Warning: In some cases when layer 7 regular expression cannot be performed, RotuerOS will log topic=firewall, warning with an error message stating the problem in the message


Warning: Layer 7 matcher is case insensitive


Properties

Sub-menu: /ip firewall layer7-protocol


Property Description
name (string; Default: ) Descriptive name of l7 pattern used by configuration in firewall rules. See example >>.
regexp (string; Default: ) POSIX compliant regular expression used to match pattern.

Examples

Simple L7 usage example

First, add Regexp strings to the protocols menu, to define strings you will be looking for. In this example we will use pattern to match rdp packets.

/ip firewall layer7-protocol
add name=rdp regexp="rdpdr.*cliprdr.*rdpsnd"

Then, use the defined protocols in firewall.

/ip firewall filter

# add few known protocols to reduce mem usage
add action=accept chain=forward comment="" disabled=no port=80 protocol=tcp
add action=accept chain=forward comment="" disabled=no port=443 protocol=tcp

# add l7 matcher
add action=accept chain=forward comment="" disabled=no layer7-protocol=\
    rdp protocol=tcp

As you can see before l7 rule we added several regular rules that will match known traffic thus reducing memory usage.

L7 in input chain

In this example we will try to match telnet protocol connecting to our router.

/ip firewall layer7-protocol add comment="" name=telnet regexp="^\\xff[\\xfb-\\xfe].\\xff[\\xfb-\\xfe].\\xff[\\xfb-\\xfe]"

Note that we need both directions that is why we need also l7 rule in output chain that sees outgoing packets.

/ip firewall filter

add action=accept chain=input comment="" disabled=no layer7-protocol=telnet \
    protocol=tcp

add action=passthrough chain=output comment="" disabled=no layer7-protocol=telnet \
    protocol=tcp


Youtube Matcher

 
/ip firewall layer7-protocol
add name=youtube regexp="(GET \\/videoplayback\\\?|GET \\/crossdomain\\.xml)"

Note: When user is logged in youtube will use HTTPS, meaning that L7 will not be able to match this traffic. Only unencrypted HTTP can be matched.


[ Top | Back to Content ]