Community discussions

 
Link100
just joined
Topic Author
Posts: 15
Joined: Mon Aug 12, 2019 3:39 am

File download block?

Mon Aug 12, 2019 1:58 pm

unfortunately I have no possibilities to block files (exe, iso, dmg etc.) download. I was told here viewtopic.php?f=21&t=150767&start=50#p744362 that I shouldn't use L7 Protocol for this. Do you have a solution that works?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5522
Joined: Mon Jun 08, 2015 12:09 pm

Re: File download block?

Mon Aug 12, 2019 2:01 pm

Now that everyone uses https, this is not possible anymore.
 
Link100
just joined
Topic Author
Posts: 15
Joined: Mon Aug 12, 2019 3:39 am

Re: File download block?

Mon Aug 12, 2019 2:56 pm

Yes, I am aware of that, but how do the others do it, at train stations, airports ... ? a few weeks ago I set up a WLAN connection at the airport and I couldn't download any files. So there has to be a solution.

Strangely enough, URL Block also works for HTTPS pages.

This works here, for example:
^.+(youtube.com|facebook.com).*$
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 880
Joined: Tue Oct 11, 2005 4:53 pm

Re: File download block?

Mon Aug 12, 2019 3:25 pm

Strangely enough, URL Block also works for HTTPS pages.

This works here, for example:
^.+(youtube.com|facebook.com).*$
Domain block (not URL block) works because the domain is visible (unencrypted) during the TLS session setup between the browser and the server.
After that, you cannot see anything due to TLS (so you cannot block specific URLs or specific extensions to a URL).
This will also stop working after TLS 1.3 becomes the standard, as it will no longer contain the unencrypted domain in the request.
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 880
Joined: Tue Oct 11, 2005 4:53 pm

Re: File download block?

Mon Aug 12, 2019 3:27 pm

Yes, I am aware of that, but how do the others do it, at train stations, airports ... ? a few weeks ago I set up a WLAN connection at the airport and I couldn't download any files. So there has to be a solution.
I doubt they were able to block files download over an HTTPS connection. Only whole domains and/or IPs.
With unencrypted HTTP is very easy to block anything you want using a transparent proxy.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1298
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: File download block?

Mon Aug 12, 2019 4:14 pm

Yes, I am aware of that, but how do the others do it, at train stations, airports ... ? a few weeks ago I set up a WLAN connection at the airport and I couldn't download any files. So there has to be a solution.
I doubt they were able to block files download over an HTTPS connection. Only whole domains and/or IPs.
With unencrypted HTTP is very easy to block anything you want using a transparent proxy.

@Link100, You can block HTTPS with devices like Sonicwall, Proxy's, etc, maybe that is what they used at the airport

Sonicwall has a feature that can inspect HTTPS packets, but it is an "extra" feature that does not come with the standard license of the product
MTCNA, MTCTCE, MTCRE & MTCINE
 
pe1chl
Forum Guru
Forum Guru
Posts: 5522
Joined: Mon Jun 08, 2015 12:09 pm

Re: File download block?

Mon Aug 12, 2019 4:20 pm

But that only works after you have destroyed the security of your device (by adding a new root certificate that cannot be trusted).
So that only works inside companies where they can decide to do this on their own workstations.
It is not a solution that could be used on a public WiFi.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1298
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: File download block?

Mon Aug 12, 2019 5:48 pm

@pe1chl, also true
MTCNA, MTCTCE, MTCRE & MTCINE
 
Link100
just joined
Topic Author
Posts: 15
Joined: Mon Aug 12, 2019 3:39 am

Re: File download block?

Mon Aug 12, 2019 5:51 pm

Which I don't understand. HTTPS pages can be blocked with the above regexp, but HTTPS downloads cannot.

squid/proxy filtering with the L7 Protocol principle?
 
Sob
Forum Guru
Forum Guru
Posts: 4361
Joined: Mon Apr 20, 2009 9:11 pm

Re: File download block?

Mon Aug 12, 2019 7:33 pm

If you have https://www.someserver.tld/some/file.exe, the part visible to L7 is only www.someserver.tld.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5522
Joined: Mon Jun 08, 2015 12:09 pm

Re: File download block?

Mon Aug 12, 2019 9:13 pm

Which I don't understand. HTTPS pages can be blocked with the above regexp, but HTTPS downloads cannot.
The filename and filetype of the download URL is not visible to the L7 matcher!
squid/proxy filtering with the L7 Protocol principle?
Same problem. Squid sees only "CONNECT www.sitename.tld:443" and not the reason for that connection.
 
Link100
just joined
Topic Author
Posts: 15
Joined: Mon Aug 12, 2019 3:39 am

Re: File download block?

Mon Aug 12, 2019 9:31 pm

Okay, thank you guys for the answer.
Too bad there's no possibility for MikroTik.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5522
Joined: Mon Jun 08, 2015 12:09 pm

Re: File download block?

Mon Aug 12, 2019 9:52 pm

This is not a problem of MikroTik!
What you want is simply not possible anymore.
You can blame Google and others for migrating everything to https to prevent that people like you look in the traffic.
 
Link100
just joined
Topic Author
Posts: 15
Joined: Mon Aug 12, 2019 3:39 am

Re: File download block?

Mon Aug 12, 2019 11:17 pm

This is not a problem of MikroTik!
What you want is simply not possible anymore.
You can blame Google and others for migrating everything to https to prevent that people like you look in the traffic.
You misunderstood me.
As I have already mentioned above, I have set up on airport WLAN connection and I could do everything. Only *.exe, *.mp4 ...files, could not be downloaded. This means that there is the possibility with other router network technology, but it is a pity that the same is not possible with MikroTik.

I'm gonna test this out:
https://wiki.mikrotik.com/wiki/Block_Do ... load_Sizes

EDIT
Works! :)
Download will be slowed down and then stopped!
Also a possibility. Better than nothing! :)
 
pe1chl
Forum Guru
Forum Guru
Posts: 5522
Joined: Mon Jun 08, 2015 12:09 pm

Re: File download block?

Tue Aug 13, 2019 12:06 am

As I have already mentioned above, I have set up on airport WLAN connection and I could do everything. Only *.exe, *.mp4 ...files, could not be downloaded.
I don't believe that. Likely only via http and not via https. There is no way a public WLAN system, no matter what manufacturer, can see what you download over https.
And if they would have a rogue root certificate, you could just setup a VPN to circumvent it.

Limit the amount of bytes per connection is a possibility, but it is not what you requested.
And please understand that it will have false positives. Someone not downloading a file but working in a google docs document will be affected just as well.
 
Link100
just joined
Topic Author
Posts: 15
Joined: Mon Aug 12, 2019 3:39 am

Re: File download block?

Tue Aug 13, 2019 12:36 am

You can believe that. I couldn't download any files. Because it seems to be the same. It starts Download, but it is stopped when downloading.
And please understand that it will have false positives. Someone not downloading a file but working in a google docs document will be affected just as well.
Exactly, therefore the next question :)

On the page there is a hint, without an example of how to do it:
...
"Also You can start this strategy base on File Extensions , Such as ( mp3 , avi , flv , zip , ... )"

Now the question is, how do you do it?

And another question:
...
add action=add-src-to-address-list address-list=Src address-list-timeout=1h \
chain=forward connection-bytes=1970000-0 disabled=no protocol=tcp \
src-address=192.168.0.0/24
...
Bildschirmfoto 2019-08-12 um 23.41.09.png
The input in the web interface is incorrect. What is wrong?
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 4361
Joined: Mon Apr 20, 2009 9:11 pm

Re: File download block?

Tue Aug 13, 2019 4:06 am

"Also You can start this strategy base on File Extensions , Such as ( mp3 , avi , flv , zip , ... )"
It had much better change to work in 2011, when it was written. There was more of plaintext http and less encrypted https back then.

Edit: And about connection-bytes option, congratulations, it looks like you found a bug in WebFig. It works correctly in WinBox and CLI.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1664
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: File download block?

Tue Aug 13, 2019 10:53 am

With blocking of connection once a volume is reached one can block that connection, but the user can just resume the download with a new connection.
So the net effect is slight delay.

A more effective approach would be to slow down the connection once a volume has been reached: based on volume, assign connection / packet marks to assign connection to a different queue with lower priority / lower bandwidth.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5522
Joined: Mon Jun 08, 2015 12:09 pm

Re: File download block?

Tue Aug 13, 2019 11:09 am

On the page there is a hint, without an example of how to do it:
...
"Also You can start this strategy base on File Extensions , Such as ( mp3 , avi , flv , zip , ... )"

Now the question is, how do you do it?
It was possible only for transfers occurring in plaintext. I.e. http, ftp etc.
Today these are seldomly used anymore.
So what is written there is no longer possible today. It should be updated in the wiki.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1298
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: File download block?

Wed Aug 14, 2019 12:45 am

@Sob, my brain is tired, been fighting with L2 fiber provider all day for poor service, but just so I can follow, I can't see what is wrong in the webfig, it shows 1970k instead of 1970000, which seems to be correct according to my current tired brain?
MTCNA, MTCTCE, MTCRE & MTCINE
 
Sob
Forum Guru
Forum Guru
Posts: 4361
Joined: Mon Apr 20, 2009 9:11 pm

Re: File download block?

Wed Aug 14, 2019 5:06 am

Problem is when you click OK or Apply, it responds with "Invalid value in Connection Bytes" and it's not possible to save the rule.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Link100
just joined
Topic Author
Posts: 15
Joined: Mon Aug 12, 2019 3:39 am

Re: File download block?

Wed Aug 14, 2019 9:33 am

@Sob, my brain is tired, been fighting with L2 fiber provider all day for poor service, but just so I can follow, I can't see what is wrong in the webfig, it shows 1970k instead of 1970000, which seems to be correct according to my current tired brain?
not 1970k, but "1970k-0" does not work.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5522
Joined: Mon Jun 08, 2015 12:09 pm

Re: File download block?

Wed Aug 14, 2019 10:24 am

Isn't that a limit for the two directions? The 0 is supposed to mean "unlimited" but apparently it is rejected by incorrect validation. You can put a very large number there.
 
Link100
just joined
Topic Author
Posts: 15
Joined: Mon Aug 12, 2019 3:39 am

Re: File download block?

Wed Aug 14, 2019 10:29 am

Isn't that a limit for the two directions? The 0 is supposed to mean "unlimited" but apparently it is rejected by incorrect validation. You can put a very large number there.
Without..."-0" it doesn't work for me.

Who is online

Users browsing this forum: No registered users and 29 guests