Community discussions

MikroTik App
 
tomislav91
Member
Member
Topic Author
Posts: 303
Joined: Fri May 26, 2017 12:47 pm

why youtube is not blocked?

Mon Mar 29, 2021 2:18 pm

I am using this
/ip firewall filter
add chain=forward dst-port=443 protocol=tcp tls-host=*youtube* action=reject src-address=10.10.10.0/24 place-before 0l
but users can open youtube. Where is mistake?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: why youtube is not blocked?

Mon Mar 29, 2021 3:15 pm

Maybe it has something to do with QUIC?
viewtopic.php?t=144452
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26292
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: why youtube is not blocked?

Tue Mar 30, 2021 9:31 am

Users that have open sessions will not be blocked immediately. They have to restart computer, or close/open browser at least.

This rule works fine for me:
chain=forward action=reject reject-with=icmp-network-unreachable 
      protocol=tcp log=no log-prefix="" tls-host=*youtube* 
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: why youtube is not blocked?

Tue Mar 30, 2021 4:59 pm

This rule works fine for me:
chain=forward action=reject reject-with=icmp-network-unreachable 
      protocol=tcp log=no log-prefix="" tls-host=*youtube* 
This rule can only work if placed before the "accept established,related" one, and if fasttracking is disabled. The reason is that the TCP session has already been established when the Client Hello carrying the TLS host name passes through the firewall. And it cannot work for QUIC as @Jotne has properly mentioned, because QUIC uses UDP as transport and the tls-host matcher only handles TCP. So devices/browsers using QUIC escape that rule.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: why youtube is not blocked?

Tue Mar 30, 2021 5:58 pm

Yes, it looks like it is time that tls-host is supported for QUIC as well...
Of course, for the time being. Because tls-host will cease to work anyway.
 
tomislav91
Member
Member
Topic Author
Posts: 303
Joined: Fri May 26, 2017 12:47 pm

Re: why youtube is not blocked?

Fri Apr 02, 2021 10:32 pm

isnt tls 1.3 adopted in quic as part of crypto part? handling flow control,crypto, http part as well?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: why youtube is not blocked?

Mon Apr 05, 2021 5:16 pm

Whether TLS 1.3 is used atop QUIC or not changes nothing about the fact that the tls-host match condition in RouterOS firewall only works with TCP, so it can never see any QUIC payload.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: why youtube is not blocked?

Mon Apr 05, 2021 5:23 pm

Also, the end of tls-host matching is not in TLS 1.3 but in "encrypted SNI" which is a further extension to TLS 1.3 which may become part of a future TLS version.
As of now, it is being used by cloudflare webhosting. But undoubtedly Google will start using that too, or invent something different for their service.
(easy to do for them because they control both the server and the mostly used browser)

When that is finished, it will no longer be possible at all to do tls-host matching, no matter if MikroTik wants to support it in QUIC.
And the common trick of using a DNS-based address list to block "the servers for youtube" will also no longer work, because browsers are or will be going around the DNS resolver of the router (by using DoT or DoH) and thus they get different IP addresses for the Youtube service than your router would get when filling the address list.

As I repeatedly say: blocking specific services (like Youtube) is a race that you as a network admin are going to LOSE.
Prepare for it now, by not wanting to block them in a technical way. Find other ways (like "this is not allowed, when we catch you, you are fired / lose your connection").
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: why youtube is not blocked?

Mon Apr 05, 2021 5:50 pm

As I have written before, you can have full control and block stuff by using products like Forecepoint.
To make this to work, you need to have full control of the client as well, some you can do with company polices.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: why youtube is not blocked?

Mon Apr 05, 2021 6:08 pm

As I have written before, you can have full control and block stuff by using products like Forecepoint.
To make this to work, you need to have full control of the client as well, some you can do with company polices.
That requires you to break the security of https. Not something you would want to do in the long run, and also not something that will be tolerated by websites forever.
(there are all kinds of efforts to bind the specific certificate in use to a specific website, so the fake cert used by such projects is flagged as untrusted)
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: why youtube is not blocked?

Mon Apr 05, 2021 7:16 pm

As I have written before, you can have full control and block stuff by using products like Forecepoint.
To make this to work, you need to have full control of the client as well, some you can do with company polices.
I'm working on some projects with Palo Alto equipment.
Even without full SSL-decryption (no control of the client) , it seems to be able to identify the application that the user is running. (and therefore block it if desired)

For Youtube, I can "granular" allow or deny some of the "sub"-sections of Youtube usage. So its not an all-or-nothing and it actually works.

youtube-posting
youtube-tv
youtube-tv-streaming
youtube-base media
youtube-safety-mode
youtube-uploading
youtube-streaming
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: why youtube is not blocked?

Mon Apr 05, 2021 9:58 pm

That requires you to break the security of https. Not something you would want to do in the long run, and also not something that will be tolerated by websites forever.
(there are all kinds of efforts to bind the specific certificate in use to a specific website, so the fake cert used by such projects is flagged as untrusted)

There are many company doing this. Like the one I am working in (has been like this for 7-8 years). When I click on a certificate of a site, like cnn.com, it does show our company certificate. I do not see any problem about this, since when you work for some, you should follow the rules they have. We do not have admin account on out PC. It uses bit-locker ++. If you do not like it, change to some other company :)

Some more information here:
https://www.websense.com/content/suppor ... works.aspx
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: why youtube is not blocked?

Tue Apr 06, 2021 11:31 am

There are many company doing this. Like the one I am working in (has been like this for 7-8 years). When I click on a certificate of a site, like cnn.com, it does show our company certificate. I do not see any problem about this, since when you work for some, you should follow the rules they have.
The big problem with that is that it trains your muscle memory to always "accept a certificate" because you get that warning over and over again.
At some point you will also accept certificates that are not the local certificate of your company, but some falsified certificate for a legitimate site.
Not only at work, but possibly even at home where this system is not in use at all.

That makes such operation quite dangerous.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: why youtube is not blocked?

Tue Apr 06, 2021 12:08 pm

I do not get any warning in any browser. For me all looks normal, only when I look at the certification path, I do see that its our company certificate and not the web site certificate.

So for the user this is 100% transparent.

There are several sites that are whitelisted, like banking etc. Also if its an application that are connecting to internet using web, the site it tries to reach need to be whitelisted as well.

Here is a list of Forcepoint customer.
https://www.forcepoint.com/company/customers

Who is online

Users browsing this forum: karlisi, netmas, scoobyn8 and 85 guests