hi all, how can i deny HTTP download while allowing simpler HTTP 80 (only web browsing)
thank fo help
It not that simple separate those two things, but you can create firewall filter rules with option connection-bytes. For example,
/ip firewall filter add chain=forward protocol=tcp dst-port=80 connection-bytes=2000000-0 action=drop
will drop HTTP connections that exceeds 2MB
They are both the same thing. There is absolutely no difference between downloading .EXE, .JPG,.HTML,.PHP,.CSS or any other kind of file. None at all. Zilch. Zero. Diddly squat.
There are, however, two options available to you:
- Use an external proxy (squid?) and get that to control access to certain file/mime types, or
- limit downloads to a maximum size (as has been suggested elsewhere in this thread).
Both options have downsides (the first means that you could still download a very large file of an unknown or unchecked type and the second means that you could still download any file if it was smaller than the maximum size).
You pays your money, you takes your choice.
OK thanks, i think i will prefer de second solution, it is better for me
Beware with limiting HTTP downloads using connection-bytes as you might end up having problems with huge picture, .swf and .flv etc. files while browsing web pages. Also, as NAB suggested, you can block downloads by filename extensions. This guide shows how it is done in RouterOS: http://wiki.mikrotik.com/wiki/How_to_Block_Websites