Hello,
I want to use the layer 7 Protocol to block adolt sites. DNS fowarding give me to mutch false postivies.
Can Some help me?
Greetings Ronald
Definition of a dolt
noun
a dull, stupid person; blockhead.
Synonyms
airhead, birdbrain, blockhead, bonehead, bubblehead, chowderhead, chucklehead, clodpoll (or clodpole), clot [British], cluck, clunk, cretin, cuddy (or cuddie) [British dialect], deadhead, dim bulb [slang], dimwit, dip, dodo, donkey, doofus [slang], dope, dork [slang], dullard, dum-dum, dumbbell, dumbhead, dummkopf, dummy, dunce, dunderhead, fathead, gander, golem, goof, goon, half-wit, hammerhead, hardhead, idiot, ignoramus, imbecile, jackass, know-nothing, knucklehead, lamebrain, loggerhead [chiefly dialect], loon, lump, lunkhead, meathead, mome [archaic], moron, mug [chiefly British], mutt, natural, nimrod [slang], nincompoop, ninny, ninnyhammer, nit [chiefly British], nitwit, noddy, noodle, numskull (or numbskull), oaf, pinhead, prat [British], ratbag [chiefly Australian], saphead, schlub (also shlub) [slang], schnook [slang], simpleton, stock, stupe, stupid, thickhead, turkey, woodenhead, yahoo, yo-yo.
Basically you want to use the MT to block all references to the Ex-President… That is going to be hard to do as the infestation is everywhere. ":=_
Seriously, I am not so sure that this is possible in layer 7, and suggest your best bet is using a service like OPEN DNS…
https://www.opendns.com/home-internet-security/
https://cleanbrowsing.org/ip-address
Not nice to say that about Bidon. Go and was your mouth.
Are you drunk?? Not judging, but hopefully not configuring any MT devices jajajajaja
The short answer is yes, it is possible. The problem is making a regex that covers half the internet…
^..+\.(pornhub|porn).*$
You mark the tcp connections with L7 in mangle for the network or certain addresses and then reject or drop them in the firewall filter.
Edit: Regex fixed
It’s like saying that achieving world peace is possible, the problem is just finding how to make all people like each other.
I don’t drink alcohol only smell it when I disinfect my hands, and that is not enough to get drunk and it is also not the right type of alcohol to use internally. I assume the shops, banks and other buildings with windows, could be boarding up soon real soon again.
Till .*$
IMHO, maintaining a layer-7 is tricky and not worth the effort. I think the easiest and fastest way is to use DNS for example Open DNS, CleanBrowsing and similar dns-services.
The great majority of adult [porn] sites are now using SSL – so currently – MikroTik’s L7 cannot decrypt the packet stream and ID the site – so a useless exercise. 92% of Internet websites use SSL … perhaps in the future MikroTik will introduce the ability to use L7 effectively and that requires an ASIC otherwise the performance hit would be a killer.
There is no need to use the word “currently” in that statement.
Decrypting SSL will never be possible, and should some ASIC appear that can do it, the SSL protocol (or the encryption protocols it uses) will be upgraded to defeat that.
My own testing proved that it is possible to limit or block streaming sites with L7 over 443 when the connection is initiated (I have no merit - I used the work that others shared). There are issues if you use Google’s DNS (when unencrypted DNS is used to block) and everything is bypassed using Tor easily.
It is one thing to block YouTube or Netflix, or even Pornhub, but quite unrealistic to block half the internet with a feature that is very resource intensive. In theory, I could cut down a tree with a screwdriver - it doesn’t make it the right tool for the job…and I certainly wouldn’t waste my time trying. I still find the idea of the OP trying to find a working regex quite funny: “Honey, I’m not watching porn all night, I’m working on a layer 7 string to block it!”…
My weird humor aside, as others have pointed out, better solutions are available for this task.
Some systems carry out a form of interference with SSL for this purpose. It doesn’t decrypt, it inserts itself into the SSL establishment so there’s effectively an encrypted leg from client to firewall, then another from firewall to web site. Here’s an example https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-ssl-decryption.html
This looks like a typical man-in-the-middle decryption. How will this cope with the upstream SSL/TLS “fake-cert” ?
When it does not decrypt (like e.g. a proxy server with CONNECT command), the intervening device cannot do inspection of the traffic.
In case of a proxy it has the option of seeing the domain name being connected, but not the remainder of the URL.
The MikroTik router can already do that. But such a proxy can never be “transparent”, it has to be configured on each computer on the internal network.
That often makes it useless.
The method described in the link you provide requires even more interference in each computer: you need to install a certificate that is generated by the router and trusted by the device. Someone in their right mind would never do that without being forced. Of course, IT departments can do that on the computers they install in a company (and are owned by the company), but not much else.
And the days of this method are numbered. Methods to detect this man-in-the-middle and refuse the connection are being implemented.
It’s a pain, we had to do it for one customer but I remember we had to white list quite a few sites that weren’t happy with that sort of interference.
Ronald, if you don’t want to use OpenDNS, you can look into using Pi-Hole to block porn and ads (a local DNS server). L7 isn’t the right tool for the job.