Hello. I am try to use HEX value in content string in firewall rules. Is it possible ?
/ip firewall filter
add action=passthrough chain=forward connection-bytes=1-800 content=1 dst-port=3389 protocol=tcp < work
add action=passthrough chain=forward connection-bytes=1-800 content=#31 dst-port=3389 protocol=tcp < not work
add action=passthrough chain=forward connection-bytes=1-800 content="\\\\#31" dst-port=3389 protocol=tcp < not work
add action=passthrough chain=forward connection-bytes=1-800 content="\\\\x31" dst-port=3389 protocol=tcp < not work
add action=passthrough chain=forward connection-bytes=1-800 content="\\\\49" dst-port=3389 protocol=tcp < not work
Re: Firewall Filter Content Hex
L7 - If the first rule matches the connection it marks the connection as its "own" and the second rule does not match the packets/connection with the identical parameters.
Content filter can be used multiple times.
I send string "10 20 30"
And have rules:
add action=passthrough chain=forward content=10 dst-port=3389 protocol=tcp < pass
add action=passthrough chain=forward content=20 dst-port=3389 protocol=tcp < pass
add action=passthrough chain=forward content=30 dst-port=3389 protocol=tcp < pass
And if I use L7 :
/ip firewall layer7-protocol
add name=RDP1 regexp=10
add name=RDP2 regexp=20
add name=RDP3 regexp=30
/ip firewall filter
add action=passthrough chain=forward dst-port=3389 layer7-protocol=RDP1 protocol=tcp < pass
add action=passthrough chain=forward dst-port=3389 layer7-protocol=RDP2 protocol=tcp < no
add action=passthrough chain=forward dst-port=3389 layer7-protocol=RDP3 protocol=tcp < no
Content filter can be used multiple times.
I send string "10 20 30"
And have rules:
add action=passthrough chain=forward content=10 dst-port=3389 protocol=tcp < pass
add action=passthrough chain=forward content=20 dst-port=3389 protocol=tcp < pass
add action=passthrough chain=forward content=30 dst-port=3389 protocol=tcp < pass
And if I use L7 :
/ip firewall layer7-protocol
add name=RDP1 regexp=10
add name=RDP2 regexp=20
add name=RDP3 regexp=30
/ip firewall filter
add action=passthrough chain=forward dst-port=3389 layer7-protocol=RDP1 protocol=tcp < pass
add action=passthrough chain=forward dst-port=3389 layer7-protocol=RDP2 protocol=tcp < no
add action=passthrough chain=forward dst-port=3389 layer7-protocol=RDP3 protocol=tcp < no
Re: Firewall Filter Content Hex
One thing you need to watch out for is that content filter does not match individual packets.
It matches the first 2KB sent over a TCP connection. This is collected into a buffer and matched with the pattern.
So it is often not useful to use content filter to block packets. Packets that are part of the content may have gone through before the filter matches, and new packets beyond 2KB may go through after the match.
Content filter is best used in the mangle chain to set a connection-mark, and then in the filter chain you can filter on that connection-mark.
It matches the first 2KB sent over a TCP connection. This is collected into a buffer and matched with the pattern.
So it is often not useful to use content filter to block packets. Packets that are part of the content may have gone through before the filter matches, and new packets beyond 2KB may go through after the match.
Content filter is best used in the mangle chain to set a connection-mark, and then in the filter chain you can filter on that connection-mark.
Re: Firewall Filter Content Hex
Whats about hex in content?
Who is online
Users browsing this forum: No registered users and 31 guests