Community discussions

 
irghost
Member Candidate
Member Candidate
Topic Author
Posts: 282
Joined: Sun Feb 21, 2016 1:49 pm

tls-host no document

Sun Dec 24, 2017 2:18 am

firewall - added "tls-host" firewall matcher
there is no documentation for this subject
MTCNA MTCRE MTCTCE MTCUME MTCWE MTCIPv6E MTCINE
 
tnt2
just joined
Posts: 19
Joined: Wed Jun 23, 2010 2:47 pm

Re: tls-host no document

Sun Dec 24, 2017 10:58 pm

viewtopic.php?f=2&t=128449
here is some info,
but this functions dont work for mee ...
 
irghost
Member Candidate
Member Candidate
Topic Author
Posts: 282
Joined: Sun Feb 21, 2016 1:49 pm

Re: tls-host no document

Tue Dec 26, 2017 12:39 am

viewtopic.php?f=2&t=128449
here is some info,
but this functions dont work for mee ...
still there is no document on this now ability
i don't know how to use this for filtering
MTCNA MTCRE MTCTCE MTCUME MTCWE MTCIPv6E MTCINE
 
User avatar
ErfanDL
Member Candidate
Member Candidate
Posts: 280
Joined: Thu Sep 29, 2016 9:13 am
Location: IRAN
Contact:

Re: tls-host no document

Tue Dec 26, 2017 8:55 am

viewtopic.php?f=2&t=128449
here is some info,
but this functions dont work for mee ...
still there is no document on this now ability
i don't know how to use this for filtering
This is decory :D :D

Sent from my C6833 using Tapatalk

 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8319
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: tls-host no document

Tue Dec 26, 2017 3:24 pm

Doesn't work for me either. Neither by full name, nor wildcard.

P.S. Also, why is this matcher added to NAT rules? There's no info about TLS hostname in TCP SYN packets :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
irghost
Member Candidate
Member Candidate
Topic Author
Posts: 282
Joined: Sun Feb 21, 2016 1:49 pm

Re: tls-host no document

Wed Dec 27, 2017 3:31 pm

Doesn't work for me either. Neither by full name, nor wildcard.

P.S. Also, why is this matcher added to NAT rules? There's no info about TLS hostname in TCP SYN packets :)
ME 3
MTCNA MTCRE MTCTCE MTCUME MTCWE MTCIPv6E MTCINE
 
dmon47
just joined
Posts: 2
Joined: Fri Nov 11, 2011 12:43 pm

Re: tls-host no document

Thu Feb 01, 2018 2:04 pm

Doesn't work for me either. Neither by full name, nor wildcard.

P.S. Also, why is this matcher added to NAT rules? There's no info about TLS hostname in TCP SYN packets :)
TLS Host does not work in RouterOS 6.41.
Use last RouterOS 6.42rc15 (Release candidate).
 
User avatar
cgood
newbie
Posts: 25
Joined: Sat May 31, 2014 4:01 pm
Location: Russia, Sochi
Contact:

Re: tls-host no document

Thu Feb 01, 2018 10:48 pm

Doesn't work for me either. Neither by full name, nor wildcard.

P.S. Also, why is this matcher added to NAT rules? There's no info about TLS hostname in TCP SYN packets :)
TLS Host does not work in RouterOS 6.41.
Use last RouterOS 6.42rc15 (Release candidate).
work! https://t.me/cgood/208
  • MTCNA 99% '17
    MTCRE 89% '17
    MTCTCE 89% '18
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: tls-host no document

Thu Feb 01, 2018 11:01 pm

P.S. Also, why is this matcher added to NAT rules? There's no info about TLS hostname in TCP SYN packets :)
There kind of is in recent TLS versions, supported by modern browsers and servers: SNI

I'm assuming this is what this matcher checks. However, browsers or other applications that don't support this won't send such packets, and thus would not be matched by this firewall matcher... So ideally you still want to deal with SNI-less packets somehow.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
Sob
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Apr 20, 2009 9:11 pm

Re: tls-host no document

Thu Feb 01, 2018 11:55 pm

Important part is "in TCP SYN packets", because it's what is important for NAT, you can't redirect connection later when SNI hostname comes.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
16again
newbie
Posts: 48
Joined: Fri Dec 29, 2017 12:23 pm

Re: tls-host no document

Thu Feb 01, 2018 11:58 pm

SNI is a server thingy.
Opening a https webpage, always a certificate with name of website FQDN is requested. (this takes place after tcp 3 way handshake at session start)
In my understanding, this tls-host thingy is just a dedicated L7 filter, targeting this certificate name in SSL handshake
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: tls-host no document  [SOLVED]

Mon Feb 05, 2018 6:03 pm

It is now added to the docs... And just as I said, it's based on the SNI value. Although an interesting caveat is that the TLS handshake the client sends needs to be within a single packet for the matcher to work. And since TLS is on a higher OSI level than TCP, sure, the idea is similar to L7 filter, except that it only checks a specific format (TLS) in the first packet, making it technically a predefined L6 filter.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8319
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: tls-host no document

Tue Feb 06, 2018 12:06 pm

Still, how can we use TLS Host matcher in NAT rules if packets with SNI data are not processed by NAT rules? :) Looks like it's some error
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: tls-host no document

Thu Feb 08, 2018 8:22 pm

I'm guessing that this matcher doesn't work on SYN and ACK packets, but instead it inspects the first content packets. The destination and source address are as determined without this matcher. And on a match, it terminates the original connection between router and server, and creates a new one to the new destination using the new source (as determined by rules including the matcher).

To the client, nothing would appear out of the ordinary, as long as the server at the final destination has the correct certificate. The final destination server would also not notice anything different. The original destination server would notice a TCP connection that gets immediately terminated, before the first packet from the client.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8319
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: tls-host no document

Fri Feb 09, 2018 9:10 am

I'm guessing that <...> on a match, it terminates the original connection between router and server, and creates a new one to the new destination using the new source (as determined by rules including the matcher).
Well, simple testing shows that the matcher simply doesn't work in NAT rules :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
protagonista
just joined
Posts: 3
Joined: Wed Feb 28, 2018 9:45 pm

Re: tls-host no document

Wed Mar 07, 2018 6:46 pm

I am not able to make it work on forwarded connections too,
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8319
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: tls-host no document

Mon Mar 12, 2018 8:14 am

I am not able to make it work on forwarded connections too,
Whut?..
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
sindy
Forum Guru
Forum Guru
Posts: 4014
Joined: Mon Dec 04, 2017 9:19 pm

Re: tls-host no document

Mon Mar 26, 2018 10:47 pm

I am not able to make it work on forwarded connections too,
Whut?..
It works for me in
/ip firewall filter chain=forward
rules in 6.41.1 as much as it can work. But bear in mind that you cannot combine it with
connection-state=new
for reasons stated above (the client-hello packet is sent after the TCP connection has already been established) so you can use the match to break the TCP session but not to e.g. redirect it to a dedicated WAN connection, it is too late to do that when that rule matches.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
alli
newbie
Posts: 35
Joined: Tue Jan 24, 2017 5:43 pm

Re: tls-host no document

Wed May 16, 2018 5:01 pm

Sadly it doesn't work with QUIC

Who is online

Users browsing this forum: Majestic-12 [Bot] and 81 guests