mikrotik doesn't drop ares on v3.11

RouterOS General
1

Mikrotik doesn’t drop the ares on mikrotik v3.11
i have this

add action=drop chain=forward comment="drop ares" disabled=no p2p=warez

on the top, the rule doesn’t count and the ares can connect. I see it on the connection list.

anybody have the same?

Max
http://mikrotikexpert.com
http://maxid.com.ar

2

Well i guess this is the same on the older releases, even on 2.9.x. I have figured out that after some time of router being up, 1-2 days, it successfully drops all ares connections. You don’t have to be worried so much because even if the router is not up for more than 2 days it limits very much ares.

One other way you can do is figure out which is the listen port for incoming connections of ares of your clients ip’s. You can do this by first loging and then droping the warez connections. So the log rule is before drop. And then monitor on your pc with syslog.

Here’s an example im using!

add chain=forward src-address=192.168.0.5 protocol=tcp dst-port=28247 action=log log-prefix="GNUTELLA DROP" \
    comment="log and drop gnutella listen port for 192.168.0.5 \(tcp\)" disabled=no 
add chain=forward src-address=192.168.0.5 protocol=tcp dst-port=28247 action=drop comment="" disabled=no
 
add chain=forward src-address=192.168.0.5 protocol=udp dst-port=28247 action=log log-prefix="GNUTELLA DROP" \
    comment="log and drop gnutella listen port for 192.168.0.5 \(udp\)" disabled=no 
add chain=forward src-address=192.168.0.5protocol=udp dst-port=28247 action=drop comment="" disabled=no
 
add chain=forward p2p=warez action=log log-prefix="WAREZ" comment="log and drop warez" \
    disabled=no 
add chain=forward p2p=warez action=drop comment="" disabled=no
 
add chain=forward p2p=gnutella action=log log-prefix="GNUTELLA" comment="log and drop \
    gnutella" disabled=no 
add chain=forward p2p=gnutella action=drop comment="" disabled=no
3

how about L7, Maxi? Did you try that?

4

I try with 2 different pattern but is not working fine. I don’t know how the another solution like netenforce have layer7 for ares.

Max
http://maxid.com.ar
http://mikrotikexpert.com

5

i think this type of traffic doesnt stop easy, because it uses randon ports and mt only knows wich kind of traffic after the second packet stablishement or something like that, can anybody hear it or explain it?

6

port doesn’t matter. routeros is inspecting packets and looking for familiar patterns. apparently ares uses encryption which makes this complicated