Community discussions

MikroTik App
 
tes73com
just joined
Topic Author
Posts: 3
Joined: Sun Feb 10, 2019 6:41 pm
Location: Brunssum

Layer 7 Blacklist

Mon Nov 09, 2020 6:19 pm

Hello,

I want to use the layer 7 Protocol to block adolt sites. DNS fowarding give me to mutch false postivies.

Can Some help me?

Greetings Ronald
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Layer 7 Blacklist

Mon Nov 09, 2020 7:38 pm

Hello,

I want to use the layer 7 Protocol to block adolt sites. DNS fowarding give me to mutch false postivies.

Can Some help me?

Greetings Ronald
Definition of a dolt
noun
a dull, stupid person; blockhead.

Synonyms
airhead, birdbrain, blockhead, bonehead, bubblehead, chowderhead, chucklehead, clodpoll (or clodpole), clot [British], cluck, clunk, cretin, cuddy (or cuddie) [British dialect], deadhead, dim bulb [slang], dimwit, dip, dodo, donkey, doofus [slang], dope, dork [slang], dullard, dum-dum, dumbbell, dumbhead, dummkopf, dummy, dunce, dunderhead, fathead, gander, golem, goof, goon, half-wit, hammerhead, hardhead, idiot, ignoramus, imbecile, jackass, know-nothing, knucklehead, lamebrain, loggerhead [chiefly dialect], loon, lump, lunkhead, meathead, mome [archaic], moron, mug [chiefly British], mutt, natural, nimrod [slang], nincompoop, ninny, ninnyhammer, nit [chiefly British], nitwit, noddy, noodle, numskull (or numbskull), oaf, pinhead, prat [British], ratbag [chiefly Australian], saphead, schlub (also shlub) [slang], schnook [slang], simpleton, stock, stupe, stupid, thickhead, turkey, woodenhead, yahoo, yo-yo.


Basically you want to use the MT to block all references to the Ex-President........ That is going to be hard to do as the infestation is everywhere. ":=_


Seriously, I am not so sure that this is possible in layer 7, and suggest your best bet is using a service like OPEN DNS.........
https://www.opendns.com/home-internet-security/
https://cleanbrowsing.org/ip-address
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Layer 7 Blacklist

Mon Nov 09, 2020 8:53 pm

Not nice to say that about Bidon. Go and was your mouth.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Layer 7 Blacklist

Mon Nov 09, 2020 9:34 pm

Not nice to say that about Bidon. Go and was your mouth.
Are you drunk?? Not judging, but hopefully not configuring any MT devices jajajajaja
 
Moba
Member Candidate
Member Candidate
Posts: 213
Joined: Sun Sep 27, 2020 6:15 pm

Re: Layer 7 Blacklist

Tue Nov 10, 2020 1:27 am

The short answer is yes, it is possible. The problem is making a regex that covers half the internet...

^..+\.(pornhub|porn).*$

You mark the tcp connections with L7 in mangle for the network or certain addresses and then reject or drop them in the firewall filter.

Edit: Regex fixed
Last edited by Moba on Tue Nov 10, 2020 6:10 pm, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Layer 7 Blacklist

Tue Nov 10, 2020 2:42 am

The short answer is yes, it is possible. The problem is making a regex that covers half the internet...
It's like saying that achieving world peace is possible, the problem is just finding how to make all people like each other.
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Layer 7 Blacklist

Tue Nov 10, 2020 2:56 pm

Not nice to say that about Bidon. Go and was your mouth.
Are you drunk?? Not judging, but hopefully not configuring any MT devices jajajajaja
I don't drink alcohol only smell it when I disinfect my hands, and that is not enough to get drunk and it is also not the right type of alcohol to use internally. I assume the shops, banks and other buildings with windows, could be boarding up soon real soon again.
 
msatter
Forum Guru
Forum Guru
Posts: 2941
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Layer 7 Blacklist

Tue Nov 10, 2020 2:59 pm

The short answer is yes, it is possible. The problem is making a regex that covers half the internet...
It's like saying that achieving world peace is possible, the problem is just finding how to make all people like each other.
Till .*$

;-)
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1611
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Layer 7 Blacklist

Tue Nov 10, 2020 3:29 pm

IMHO, maintaining a layer-7 is tricky and not worth the effort. I think the easiest and fastest way is to use DNS for example Open DNS, CleanBrowsing and similar dns-services.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 926
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Layer 7 Blacklist

Tue Nov 10, 2020 3:38 pm

The great majority of adult [porn] sites are now using SSL -- so currently -- MikroTik's L7 cannot decrypt the packet stream and ID the site -- so a useless exercise. 92% of Internet websites use SSL .... perhaps in the future MikroTik will introduce the ability to use L7 effectively and that requires an ASIC otherwise the performance hit would be a killer.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: Layer 7 Blacklist

Tue Nov 10, 2020 4:11 pm

There is no need to use the word "currently" in that statement.
Decrypting SSL will never be possible, and should some ASIC appear that can do it, the SSL protocol (or the encryption protocols it uses) will be upgraded to defeat that.
 
Moba
Member Candidate
Member Candidate
Posts: 213
Joined: Sun Sep 27, 2020 6:15 pm

Re: Layer 7 Blacklist

Tue Nov 10, 2020 6:37 pm

My own testing proved that it is possible to limit or block streaming sites with L7 over 443 when the connection is initiated (I have no merit - I used the work that others shared). There are issues if you use Google's DNS (when unencrypted DNS is used to block) and everything is bypassed using Tor easily.

It is one thing to block YouTube or Netflix, or even Pornhub, but quite unrealistic to block half the internet with a feature that is very resource intensive. In theory, I could cut down a tree with a screwdriver - it doesn't make it the right tool for the job...and I certainly wouldn't waste my time trying. I still find the idea of the OP trying to find a working regex quite funny: "Honey, I'm not watching porn all night, I'm working on a layer 7 string to block it!"...

My weird humor aside, as others have pointed out, better solutions are available for this task.
 
aesmith
Member
Member
Posts: 315
Joined: Wed Mar 27, 2019 6:43 pm

Re: Layer 7 Blacklist

Wed Nov 11, 2020 6:50 pm

There is no need to use the word "currently" in that statement.
Decrypting SSL will never be possible, and should some ASIC appear that can do it, the SSL protocol (or the encryption protocols it uses) will be upgraded to defeat that.
Some systems carry out a form of interference with SSL for this purpose. It doesn't decrypt, it inserts itself into the SSL establishment so there's effectively an encrypted leg from client to firewall, then another from firewall to web site. Here's an example https://www.cisco.com/c/en/us/td/docs/s ... ption.html
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1611
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Layer 7 Blacklist

Wed Nov 11, 2020 7:02 pm

This looks like a typical man-in-the-middle decryption. How will this cope with the upstream SSL/TLS "fake-cert" ?
Last edited by Larsa on Wed Nov 11, 2020 7:03 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: Layer 7 Blacklist

Wed Nov 11, 2020 7:03 pm

When it does not decrypt (like e.g. a proxy server with CONNECT command), the intervening device cannot do inspection of the traffic.
In case of a proxy it has the option of seeing the domain name being connected, but not the remainder of the URL.
The MikroTik router can already do that. But such a proxy can never be "transparent", it has to be configured on each computer on the internal network.
That often makes it useless.

The method described in the link you provide requires even more interference in each computer: you need to install a certificate that is generated by the router and trusted by the device. Someone in their right mind would never do that without being forced. Of course, IT departments can do that on the computers they install in a company (and are owned by the company), but not much else.

And the days of this method are numbered. Methods to detect this man-in-the-middle and refuse the connection are being implemented.
 
aesmith
Member
Member
Posts: 315
Joined: Wed Mar 27, 2019 6:43 pm

Re: Layer 7 Blacklist

Thu Nov 12, 2020 5:25 pm

And the days of this method are numbered. Methods to detect this man-in-the-middle and refuse the connection are being implemented.
It's a pain, we had to do it for one customer but I remember we had to white list quite a few sites that weren't happy with that sort of interference.
 
Moba
Member Candidate
Member Candidate
Posts: 213
Joined: Sun Sep 27, 2020 6:15 pm

Re: Layer 7 Blacklist

Sat Nov 14, 2020 8:54 pm

Ronald, if you don't want to use OpenDNS, you can look into using Pi-Hole to block porn and ads (a local DNS server). L7 isn't the right tool for the job.

Who is online

Users browsing this forum: eolomaps and 14 guests