Community discussions

MikroTik App
 
AlohaSpark
newbie
Topic Author
Posts: 48
Joined: Wed Jun 16, 2021 10:39 pm

How does IP -> Raw -> Content work?

Thu Feb 01, 2024 3:56 am

I created a few raw firewall rules with Content set to a domain name (Firewall -> Raw -> Advanced -> Content). For example:
/ip firewall raw add action=add-dst-to-address-list address-list=REDIR_FB address-list-timeout=none-static chain=prerouting content=.facebook.com src-address-list=LAN

Initially I thought that it was using DNS to figure out what IP the content has. However, I just realized that I did not configure any DNS resolvers on this router.

Screenshot 2024-02-01 095505.png

How does Firewall -> Raw -> Advanced -> Content work?
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: How does IP -> Raw -> Content work?

Thu Feb 01, 2024 8:11 am

(the old) firewall manual says:
content (string; Default: ) Match packets that contain specified text

So it really only matches packets which contain set string in full. Not even connection but only packet. So basically this may match one of initial packets where client includes server name in SNI ... that one was not encrypted up to TLSv1.2, in TLSv1.3 it's encrypted so this rule won't be able to block such connection attempts any more. Another possibility for not matching is if this string somehow gets split into two packets (e.g. because of low MTU).

So in essence, this matching property may or may not work as desired.

Who is online

Users browsing this forum: mukkelek, thor29 and 38 guests