i did
Code: Select all
/ip firewall nat add action=redirect to-port=8080 connection-bytes=512000-1000000000 chain=dtsnat protocol=tcp dst-port=80
any idea ???????????
filter for files > 512K
how can filtering files bigger 512K for stored in cache
i did
but it is not work
any idea ???????????
i did
any idea ???????????
Re: filter for files > 512K
That is logically impossible. NAT only happens on the first packet of a connection and is them repeated for all subsequent packets. It is impossible to know at that point how many bytes will flow through that connection. You cannot make a NAT decision later on, that simply isn't how TCP/IP works.
Re: filter for files > 512K
is there another way to know how many bytes take the download
i know that header contain the size of file, can i give the information and compare if it is bigger than 512K
i know that header contain the size of file, can i give the information and compare if it is bigger than 512K
Re: filter for files > 512K
Any HTTP header is after the TCP handshake, the initial SYN of the handshake is the first packet of the connection. Any NAT decision must be made with that packet and if contains no reference to how many bytes the connection will transfer. Only an application layer gateway (a proxy) could determine this and you'd have to push all HTTP connections through that proxy. And the built in proxy has no functionality for this so it would have to be a proxy outside the router.
Re: filter for files > 512K
Code: Select all
ip firewall layer7 add name="size" regexp="Content-Length: [0-9]{6}"
Re: filter for files > 512K
You still can't NAT anymore once the HTTP connection has gotten to a point where that string would show up. You either NAT an HTTP connection on the first packet (TCP/SYN), or not at all. That's just how it works.
Re: filter for files > 512K
fewi, I don't think he really cares about NAT, just wants to block the large files.
The L7 filter should generally work, assuming the remote server sends the Content-Length tag. Some files (the ones that download without showing file size) will get through this filter.
The L7 filter should generally work, assuming the remote server sends the Content-Length tag. Some files (the ones that download without showing file size) will get through this filter.
Re: filter for files > 512K
Maybe I did understand the question wrong. I thought he doesn't want to proxy large file transfers, using a transparent proxies. Transparent proxies work via NAT. You can't do L7 filters on HTTP downloads until the HTTP header shows up, which is at the earliest in packet number 4. At that point you can't NAT anymore, and thus can't transparently proxy anymore at all. Or stop transparently proxying, for that matter, because you're locked into whatever you did to the first packet.
If you're right and he wants to just prevent all large downloads completely then yeah, waiting for the content header or just dropping based on connection-bytes you can kill all large downloads.
I'd be irate as a customer, though. Sometimes I want to download large files. Prevent that and you'll stop getting money from me pretty damn quick.
If you're right and he wants to just prevent all large downloads completely then yeah, waiting for the content header or just dropping based on connection-bytes you can kill all large downloads.
I'd be irate as a customer, though. Sometimes I want to download large files. Prevent that and you'll stop getting money from me pretty damn quick.
Who is online
Users browsing this forum: No registered users and 35 guests