Community discussions

MikroTik App
 
User avatar
jorj
Member
Member
Topic Author
Posts: 397
Joined: Mon Mar 12, 2007 4:34 pm
Location: /dev/null

Layer7 in firewall - 3.0rc5

Tue Sep 18, 2007 10:12 pm

This is what the changelog says about 3.0rc5, on the first line.
What's new in 3.0rc5:

*) added layer7 protocol matching capability in firewall;

Well, the capability exists. We are glad to hear about it.
How do we use it ? Winbox does not seem to have a config. for l7, nor the CLI, or I could not find it.
If I am wrong, I am sorry, my mistake. Please show me the way...... :shock:
 
uldis
MikroTik Support
MikroTik Support
Posts: 3446
Joined: Mon May 31, 2004 2:55 pm

Re: Layer7 in firewall - 3.0rc5

Tue Sep 18, 2007 10:21 pm

Yes, there is no Winbox support for this feature. This will be only in the next release.
In the console you should go under 'ip firewall layer7-protocol'
We will put some more info how to use this soon.
 
User avatar
jorj
Member
Member
Topic Author
Posts: 397
Joined: Mon Mar 12, 2007 4:34 pm
Location: /dev/null

Re: Layer7 in firewall - 3.0rc5

Tue Sep 18, 2007 10:47 pm

Thank you. Just found it.
I must suppose regexp should be regular expression, right ?
And I should/could make my own l7 classifiers, right ?

Right now, I don't see how can i use the classifiers further. Will there be a field for the filter/mangle to mark a specific protocol I choose ?

I think I will wait further info soon, as you promise.
Thank you, at least I will shurely use this.
:D
 
Znuff
Member Candidate
Member Candidate
Posts: 141
Joined: Tue Sep 26, 2006 2:42 am
Contact:

Re: Layer7 in firewall - 3.0rc5

Wed Sep 19, 2007 5:39 am

Waaaaaaaaaaait, but how was the p2p filtering done previous to layer7? in 2.9.x?
 
akukula
newbie
Posts: 33
Joined: Wed May 16, 2007 3:57 pm

Re: Layer7 in firewall - 3.0rc5

Wed Sep 19, 2007 1:48 pm

Thank you. Just found it.
I must suppose regexp should be regular expression, right ?
I really hope it's not Regular Expression but PCRE (Perl-Compatible Regular Expression) which is more powerful and simpler (and more efficient but I have no numbers to prove that).

Regards,
Andrzej
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1768
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Layer7 in firewall - 3.0rc5

Wed Sep 19, 2007 2:21 pm

Waaaaaaaaaaait, but how was the p2p filtering done previous to layer7? in 2.9.x?
The feature is that we now will be able create custom Layer7 rules, not that it is completely new feature in RouterOS.
 
User avatar
jorj
Member
Member
Topic Author
Posts: 397
Joined: Mon Mar 12, 2007 4:34 pm
Location: /dev/null

Re: Layer7 in firewall - 3.0rc5

Wed Sep 19, 2007 3:40 pm

Waaaaaaaaaaait, but how was the p2p filtering done previous to layer7? in 2.9.x?
The feature is that we now will be able create custom Layer7 rules, not that it is completely new feature in RouterOS.
I surrely hope so.
Though I am curious if it is feasible to implement in current routerboards, for max 8 or 10 mbit traffic, and wich will be the cpu usage.
Mt folks, waiting to hear from you, and waiting to give you feedback once we test it.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7169
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Layer7 in firewall - 3.0rc5

Wed Sep 19, 2007 3:47 pm

I really hope it's not Regular Expression but PCRE (Perl-Compatible Regular Expression)
as far as I can tell it is Perl Compatible Regular Expression
 
akukula
newbie
Posts: 33
Joined: Wed May 16, 2007 3:57 pm

Re: Layer7 in firewall - 3.0rc5

Wed Sep 19, 2007 6:55 pm

as far as I can tell it is Perl Compatible Regular Expression
Then they rule ;-)
 
blabla
just joined
Posts: 23
Joined: Tue Dec 13, 2005 5:42 pm

Re: Layer7 in firewall - 3.0rc5

Wed Sep 19, 2007 8:34 pm

LOL, reading this topic (and reading changelog) is so funny...

Ohh..,. we got layer7, GREAT, but wait, wait, what is that - how do we use that??? Where can we find a info about that? Any one can help us? Any one researched how do we use this?

LOOOOOOOOOL
 
changeip
Forum Guru
Forum Guru
Posts: 3833
Joined: Fri May 28, 2004 5:22 pm

Re: Layer7 in firewall - 3.0rc5

Wed Sep 19, 2007 10:33 pm

just be glad they added it in RC. its still release candidate and therefore no docs or guarantees. documentation will come soon.
 
iceboxrj
just joined
Posts: 1
Joined: Sun Jun 03, 2007 9:17 am

Re: Layer7 in firewall - 3.0rc5

Thu Sep 20, 2007 12:53 am

will the new Layer 7
take care off our problem
with the ares/warez protocol ?
 
User avatar
mac86
Member Candidate
Member Candidate
Posts: 126
Joined: Sat Nov 25, 2006 12:52 am
Location: bahia blanca - argentina
Contact:

Re: Layer7 in firewall - 3.0rc5

Thu Sep 20, 2007 2:24 am

Congratulations !!!

this is a very good news on Router OS !!!

Regards
Andres.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1768
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Layer7 in firewall - 3.0rc5

Thu Sep 20, 2007 8:46 am

I surrely hope so.
Though I am curious if it is feasible to implement in current routerboards, for max 8 or 10 mbit traffic, and wich will be the cpu usage.
Mt folks, waiting to hear from you, and waiting to give you feedback once we test it.

Maybe thats one of the reasons why this feature is introduced just before release of RB600 and RB1000 ;)
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7169
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Layer7 in firewall - 3.0rc5

Thu Sep 20, 2007 11:31 am

LOL, reading this topic (and reading changelog) is so funny...

Ohh..,. we got layer7, GREAT, but wait, wait, what is that - how do we use that??? Where can we find a info about that? Any one can help us? Any one researched how do we use this?

LOOOOOOOOOL
It is not very hard:
define layer7 protocol, for example:

/ip firewall layer7-protocol
add comment="" name="ftp" regexp="^220[\\x09-\\x0d -~]*ftp"

after that you can create firewall rule with your newly defined layer7 protocol.
 
changeip
Forum Guru
Forum Guru
Posts: 3833
Joined: Fri May 28, 2004 5:22 pm

Re: Layer7 in firewall - 3.0rc5

Thu Sep 20, 2007 7:25 pm

I don't know if this is the package used, but this documentation may be close enough to get you started:

http://l7-filter.sourceforge.net/protocols
 
User avatar
jorj
Member
Member
Topic Author
Posts: 397
Joined: Mon Mar 12, 2007 4:34 pm
Location: /dev/null

Re: Layer7 in firewall - 3.0rc5

Fri Sep 21, 2007 6:24 pm

I don't know if this is the package used, but this documentation may be close enough to get you started:

http://l7-filter.sourceforge.net/protocols

Seen that, done that. I'm still waiting some clues - or some docs....... :) ( I am using l7filter on at least one linux machine, and it works just fine, actually on Coyote and Brazil FW.)
It is not very hard:
define layer7 protocol, for example:

/ip firewall layer7-protocol
add comment="" name="ftp" regexp="^220[\\x09-\\x0d -~]*ftp"

after that you can create firewall rule with your newly defined layer7 protocol.
Well, easier said than done. Did you tried it ? Cause I first tried and only after I asked. I does not appear as I can use it anywhere in the filter. Autocompletion in CLI or winbox interface does not show any of the defined protocols/classifiers. If you have 1 (one at least) working example, show it here. If it's hidden..... my mistake. And give another name please to the protocol..... let's say for yahoo messenger. Or else.

rgds.
 
User avatar
jorj
Member
Member
Topic Author
Posts: 397
Joined: Mon Mar 12, 2007 4:34 pm
Location: /dev/null

Re: Layer7 in firewall - 3.0rc5

Mon Sep 24, 2007 9:18 pm

Yes, there is no Winbox support for this feature. This will be only in the next release.
In the console you should go under 'ip firewall layer7-protocol'
We will put some more info how to use this soon.
One week has passed.........
 
akukula
newbie
Posts: 33
Joined: Wed May 16, 2007 3:57 pm

Re: Layer7 in firewall - 3.0rc5

Mon Sep 24, 2007 11:00 pm

Yes, there is no Winbox support for this feature. This will be only in the next release.
In the console you should go under 'ip firewall layer7-protocol'
We will put some more info how to use this soon.
One week has passed.........
Just don't be a troll.
 
User avatar
jorj
Member
Member
Topic Author
Posts: 397
Joined: Mon Mar 12, 2007 4:34 pm
Location: /dev/null

Re: Layer7 in firewall - 3.0rc5

Tue Sep 25, 2007 9:19 am

Yes, there is no Winbox support for this feature. This will be only in the next release.
In the console you should go under 'ip firewall layer7-protocol'
We will put some more info how to use this soon.
One week has passed.........
Just don't be a troll.
Relax man.
Guess it has to be done properly. I don't want to push things.....
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7169
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Layer7 in firewall - 3.0rc5

Tue Sep 25, 2007 9:51 am

Well actually this feature is not fully available in RC5. You can write layer7 regexps but you won't be able to use them in firewall filters.
 
User avatar
jorj
Member
Member
Topic Author
Posts: 397
Joined: Mon Mar 12, 2007 4:34 pm
Location: /dev/null

Re: Layer7 in firewall - 3.0rc5

Wed Oct 03, 2007 2:36 pm

Finally L7 seems to work.
Still testing, had to do a netinstall for 3.0rc6, 'cause it did not upgrade in any other way. :(

Now i am testing to see if it correctly intercepts the traffic.

Still waiting from someone from MT to confirm that the protocol identifiers are the same sintax as in the l7filter ? Or, if else, how exactly is that.

Is this a possible answer: http://l7-filter.sourceforge.net/protocols
If i find that out sooner, i guess i'll just post here.
 
User avatar
jorj
Member
Member
Topic Author
Posts: 397
Joined: Mon Mar 12, 2007 4:34 pm
Location: /dev/null

Re: Layer7 in firewall - 3.0rc5

Wed Oct 03, 2007 3:05 pm

it is not as in l7filter.
it seems to be some kind of clear text.
Could you expand please the sintax you wish us to use in l7 regexp ?
for example:
each yahoo mess packet, contains ym. I put ym in the regexp and it is ok.
If not available yet as a manual, then if you could provide few examples, than maybe, just maybe we could understand how it's meant by you to be used by us.

Thank you.
 
akukula
newbie
Posts: 33
Joined: Wed May 16, 2007 3:57 pm

Re: Layer7 in firewall - 3.0rc5

Wed Oct 03, 2007 3:31 pm

each yahoo mess packet, contains ym. I put ym in the regexp and it is ok.
Such a "regexp" would match also your and my post, and a mail containing e.g. the word "gymnastics". They too contain "ym". So be careful with the rules.

Regards,
Andrzej
 
uldis
MikroTik Support
MikroTik Support
Posts: 3446
Joined: Mon May 31, 2004 2:55 pm

Re: Layer7 in firewall - 3.0rc5

Wed Oct 03, 2007 3:47 pm

here is the script that will add you a pack of entries:
http://www.mikrotik.com/download/l7-protos.rsc
Note this is only for RouterOS v3.0rc6, for RC7 we will have a better script that could look in the console better.
 
User avatar
jorj
Member
Member
Topic Author
Posts: 397
Joined: Mon Mar 12, 2007 4:34 pm
Location: /dev/null

Re: Layer7 in firewall - 3.0rc5

Wed Oct 03, 2007 3:51 pm

each yahoo mess packet, contains ym. I put ym in the regexp and it is ok.
Such a "regexp" would match also your and my post, and a mail containing e.g. the word "gymnastics". They too contain "ym". So be careful with the rules.

Regards,
Andrzej
:) Yes it could !
here is the script that will add you a pack of entries:
http://www.mikrotik.com/download/l7-protos.rsc
Note this is only for RouterOS v3.0rc6, for RC7 we will have a better script that could look in the console better.
Thank you very much. Now I have to go to study ! :)
Putting it in, and ...... launch apps !

tks. again.
 
JMDorfling
just joined
Posts: 10
Joined: Wed Oct 21, 2009 10:06 am

Re: Layer7 in firewall - 3.0rc5

Wed Oct 21, 2009 11:26 am

Did anybody uses layer 7 for xbox live? does it work or not?

Who is online

Users browsing this forum: germarsh, HermanS, sindy and 43 guests