Manual:IP/Firewall/L7: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
← Older editNewer edit →
No edit summary
No edit summary
Line 1: Line 1:
'''layer7-protocol''' is a method of looking for patterns in connections.
{{Versions|v3, v4}}


<div class=manual>
<h2>Summary</h2>
<p>
'''layer7-protocol''' is a method of searching for patterns in ICMP/TCP/UDP streams.
</p>
<p>
L7 matcher is collecting first <b>10 packets</b> of connection or first <b>2KB</b> of connection and searches for pattern in collected data. If pattern is not found in collected data, matcher is not inspecting further. Allocated memory is freed and  protocol is considered as <b>unknown</b>.  You should take into account that a lot of connections will significantly increase memory usage. To avoid it add regular firewall matchers to reduce amount of data passed to layer-7 filters.
</p>
<p>
Additional requirement is that layer7 matcher must see both directions of traffic (incoming and outgoing). To satisfy this requirement l7 rules should be set in <b>forward</b> chain. If rule is set in <b>input/prerouting</b> chain then the same rule <b>must</b> be set also in <b>output/postrouting</b> chain, otherwise collected data may not be complete resulting in incorrectly matched pattern.
</p>
<p>
L7 patterns found in [http://l7-filter.sourceforge.net/protocols  l7-filter project page] and in [http://protocolinfo.org/wiki/Main_Page] are compatible with RouterOS. <br />
You can also download a script with a list of common protocols [http://www.mikrotik.com/download/l7-protos.rsc here] (only for RouterOS v3), just run Import command with this file.
</p>
<h2>Properties</h2>
<p><b>Sub-menu:</b> <code>/ip firewall layer7-protocol</code></p>
<table class="styled_table">
<tr>
  <th width="40%">Property</th>
  <th >Description</th>
</tr>
<tr>
    <td><var><b>name</b></var> (<em>string</em>; Default: <b></b>)</td>
    <td>Descriptive name of l7 pattern used by configuration in firewall rules. See example [[L7#Example | >>]].</td>
</tr>
<tr>
    <td><var><b>regexp</b></var> (<em>string</em>; Default: <b></b>)</td>
    <td>POSIX compliant regular expression used to match pattern.</td>
</tr>
</table>
<h2>Example</h2>
<p>
First, add Regexp strings to the protocols menu, to define strings you will be looking for.  
First, add Regexp strings to the protocols menu, to define strings you will be looking for.  


  /ip firewall layer7-protocol add=
  /ip firewall layer7-protocol add


Then, use the defined protocols in firewall:  
Then, use the defined protocols in firewall:  


  /ip firewall filter add layer7-protocol=
  /ip firewall filter add layer7-protocol
 
</p>
RouterOS will look for these strings in all connections passing the firewall rule where you use this. As this is resource intensive, make sure to filter out all good traffic before it hits this rule.


You can download a script with a list of common programs [http://www.mikrotik.com/download/l7-protos.rsc here] (only for RouterOS v3), just run Import command with this file. All Pattern libraries can be found on the [http://l7-filter.sourceforge.net/protocols layer7 project page] and on the [http://protocolinfo.org/wiki/Main_Page protocol wiki].
<nowiki>[</nowiki>[[#content|Back to Content]]<nowiki>]</nowiki>


[[Category:Firewall]]
[[Category:Manual]]

Revision as of 15:14, 8 December 2009

Applies to RouterOS: v3, v4

Summary

layer7-protocol is a method of searching for patterns in ICMP/TCP/UDP streams.

L7 matcher is collecting first 10 packets of connection or first 2KB of connection and searches for pattern in collected data. If pattern is not found in collected data, matcher is not inspecting further. Allocated memory is freed and protocol is considered as unknown. You should take into account that a lot of connections will significantly increase memory usage. To avoid it add regular firewall matchers to reduce amount of data passed to layer-7 filters.

Additional requirement is that layer7 matcher must see both directions of traffic (incoming and outgoing). To satisfy this requirement l7 rules should be set in forward chain. If rule is set in input/prerouting chain then the same rule must be set also in output/postrouting chain, otherwise collected data may not be complete resulting in incorrectly matched pattern.

L7 patterns found in l7-filter project page and in [1] are compatible with RouterOS.
You can also download a script with a list of common protocols here (only for RouterOS v3), just run Import command with this file.

Properties

Sub-menu: /ip firewall layer7-protocol


Property Description
name (string; Default: ) Descriptive name of l7 pattern used by configuration in firewall rules. See example >>.
regexp (string; Default: ) POSIX compliant regular expression used to match pattern.


Example

First, add Regexp strings to the protocols menu, to define strings you will be looking for. /ip firewall layer7-protocol add Then, use the defined protocols in firewall: /ip firewall filter add layer7-protocol

[Back to Content]

Retrieved from "https://wiki.mikrotik.com/index.php?title=Manual:IP/Firewall/L7&oldid=14653"