ediaz
July 16, 2013, 9:27am
1
Hi,
I want to block DNS requests for “isc.org ” domain, which are being abused for a DDoS attack. I’ve created a filter rule:
/ip firewall filter
But it does not work. If I create a similar rule without the \03org, it efectively blocks anything in the form “isc ”.
What is the sintaxt for the text matching in filter rules? Does it accept wildcards/regex in any way? DNS queries separate domain segments with ETX (0x03)
In the wiki I can only find:
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
content (string; Default: ) Match packets that contain specified text
Regards
ediaz
July 16, 2013, 9:35am
2
A smart guy here at the office did a fuzzy and dirty trick that just works:
echo -e ‘\003’ > tmpfile
The filter rule now shows:
0 chain=forward action=drop protocol=udp dst-port=53 content=\03isc\03org
where the “\03” show in blue (if I enter it manually from ssh console or other browser, it shows in regular grey).
While this solves our problem now, I would rather know how to enter this kind of characters in a filter rule in a cleaner way.
Regards
Rudios
July 16, 2013, 11:02am
3
You should assign the rule to your input chain, not on the forward chain
try ‘export’ instead of ‘print’ command
UPD:
/ip firewall mangle set 8 content="isc\03org"
works fine for me, “\03” is in blue when doing ‘print’