Manual:IP/Firewall/L7: Difference between revisions
Line 50: | Line 50: | ||
===Simple L7 usage example=== | ===Simple L7 usage example=== | ||
First, add Regexp strings to the protocols menu, to define strings you will be looking for. In this example we will use pattern to match | First, add Regexp strings to the protocols menu, to define strings you will be looking for. In this example we will use pattern to match rdp packets. | ||
<pre> | <pre> | ||
/ip firewall layer7-protocol | /ip firewall layer7-protocol | ||
add | add name=rdp regexp="rdpdr.*cliprdr.*rdpsnd" | ||
</pre> | </pre> | ||
Line 71: | Line 68: | ||
# add l7 matcher | # add l7 matcher | ||
add action=accept chain=forward comment="" disabled=no layer7-protocol=\ | add action=accept chain=forward comment="" disabled=no layer7-protocol=\ | ||
rdp protocol=tcp | |||
</pre> | </pre> | ||
As you can see before l7 rule we added several regular rules that will match known traffic thus reducing memory usage. | As you can see before l7 rule we added several regular rules that will match known traffic thus reducing memory usage. | ||
===L7 in input chain=== | ===L7 in input chain=== |
Revision as of 11:37, 23 January 2013
Applies to RouterOS: v3, v4 +
Summary
layer7-protocol is a method of searching for patterns in ICMP/TCP/UDP streams.
L7 matcher is collecting first 10 packets of connection or first 2KB of connection and searches for pattern in collected data. If pattern is not found in collected data, matcher is not inspecting further. Allocated memory is freed and protocol is considered as unknown. You should take into account that a lot of connections will significantly increase memory usage. To avoid it add regular firewall matchers to reduce amount of data passed to layer-7 filters.
Additional requirement is that layer7 matcher must see both directions of traffic (incoming and outgoing). To satisfy this requirement l7 rules should be set in forward chain. If rule is set in input/prerouting chain then the same rule must be set also in output/postrouting chain, otherwise collected data may not be complete resulting in incorrectly matched pattern.
L7 patterns found in l7-filter project page and in [1] are compatible with RouterOS.
You can also download a script with a list of common protocols here (only for RouterOS v3), just run Import command with this file.
Warning: In some cases when layer 7 regular expression cannot be performed, RotuerOS will log topic=firewall, warning with error message stating exactly what is te problem in the message
Properties
Sub-menu: /ip firewall layer7-protocol
Property | Description |
---|---|
name (string; Default: ) | Descriptive name of l7 pattern used by configuration in firewall rules. See example >>. |
regexp (string; Default: ) | POSIX compliant regular expression used to match pattern. |
Examples
Simple L7 usage example
First, add Regexp strings to the protocols menu, to define strings you will be looking for. In this example we will use pattern to match rdp packets.
/ip firewall layer7-protocol add name=rdp regexp="rdpdr.*cliprdr.*rdpsnd"
Then, use the defined protocols in firewall.
/ip firewall filter # add few known protocols to reduce mem usage add action=accept chain=forward comment="" disabled=no port=80 protocol=tcp add action=accept chain=forward comment="" disabled=no port=443 protocol=tcp # add l7 matcher add action=accept chain=forward comment="" disabled=no layer7-protocol=\ rdp protocol=tcp
As you can see before l7 rule we added several regular rules that will match known traffic thus reducing memory usage.
L7 in input chain
In this example we will try to match telnet protocol connecting to our router.
/ip firewall layer7-protocol add comment="" name=telnet regexp=\ "^\\xff[\\xfb-\\xfe].\\xff[\\xfb-\\xfe].\\xff[\\xfb-\\xfe]"
Note that we need both directions that is why we need also l7 rule in output chain that sees outgoing packets.
/ip firewall filter add action=accept chain=input comment="" disabled=no layer7-protocol=telnet \ protocol=tcp add action=passthrough chain=output comment="" disabled=no layer7-protocol=telnet \ protocol=tcp
[ Top | Back to Content ]