how can we set rules to block VOIP connections? Since voip traffic does catch under MT p2p filters.
besides blocking ports
-
-
wildbill442
Forum Guru
- Posts: 1055
- Joined:
- Location: Sacramento, CA
Blocking certain services has always been a problem for many here on the forums.
You can block some ports but you can never catch them all. Users will find another program that makes another type of connection that your routers aren't prepared to "catch".
So unless you want to block a particular service that aways runs on particular ports.... you simply can not block it.
If Mikrotikls must continue to market their product as able to block stuff, they need to change the way the blocking works. Maybe "definitions" for certain services need to be introduced. Like definitions for Skype etc where MT will recognise the Skype traffik and block it. It would be hard to create theese definitons but maybe they can be created by enthusiast/anybody out there and be submitted to a definitions database....
But then, these definitions will probably fail to catch encrypted/scrambled traffic. Programs will always find a way to hide their connections IMO.
You can block some ports but you can never catch them all. Users will find another program that makes another type of connection that your routers aren't prepared to "catch".
So unless you want to block a particular service that aways runs on particular ports.... you simply can not block it.
If Mikrotikls must continue to market their product as able to block stuff, they need to change the way the blocking works. Maybe "definitions" for certain services need to be introduced. Like definitions for Skype etc where MT will recognise the Skype traffik and block it. It would be hard to create theese definitons but maybe they can be created by enthusiast/anybody out there and be submitted to a definitions database....
But then, these definitions will probably fail to catch encrypted/scrambled traffic. Programs will always find a way to hide their connections IMO.
block skype
http://www.secdev.org/conf/skype_BHEU06.pdf
page78:
iptables -I FORWARD -p udp -m length --length 39 -m u32 \
--u32 ’27&0x8f=7’ --u32 ’31=0x01020304 ’ -j QUEUE
How to add this firewall rule to Mikrotik?
page78:
iptables -I FORWARD -p udp -m length --length 39 -m u32 \
--u32 ’27&0x8f=7’ --u32 ’31=0x01020304 ’ -j QUEUE
How to add this firewall rule to Mikrotik?
-
-
wildbill442
Forum Guru
- Posts: 1055
- Joined:
- Location: Sacramento, CA
You can create your own custom "definitions" by mangeling the traffic. This creates a label, or definition for the connection/packets and then you can apply rules to the traffic in the firewall.If Mikrotikls must continue to market their product as able to block stuff, they need to change the way the blocking works. Maybe "definitions" for certain services need to be introduced.
When firewalling, unless you're an ISP, usually you block all incoming traffic and only open the ports that you need for services in use on your network. This decreases the amount of rules you need to create, and creates a more secured network.
-
-
mgm@protenus.com
just joined
- Posts: 3
- Joined:
Mangling Skype Traffic
So... tried to decipher the above post about recognizing skype. We dont want to block it, we want to prioritize, has anyone figured out how to mange skype and SIP traffic yet?