Mikrotik - blokování Skype, Jabber, ICQ
Minule jsme si ukázali několik způsobů, jak zablokovat Facebook. To ovšem nemusí někomu stačit. Někdo může chtít zakázat něco jiného. Před pár lety, než všichni BFU utekli z v Čechách nejoblíbenějšího kecacího protokolu ICQ by to byl právě tento protokol. Ten už to ale není. Ukážem si jak zablokovat skype a naznačíme si jak blokovat i další protokoly. P2T, Jabber, Bittoretn, SIP, nebo třeba TORa který je určen k anonymizaci...
Opět, využití je značně nedemokratické. Nicméně ve firemní síti, nebo v domácí síti, kde může být takový to provoz značně k obtíži, je na vás rozhodnutí.
Jak to vlastně funguje? Tak tedy ve zkratce. Až to nastavíte, tak si mikrotik načte prvních 10 paketů nebo první 2kb z komunikace a koukne se do nich, jestli tam nenajde vzor (který nastavíte v L7) zakázané komunikace. Poté když rozpozná, tak to prostě zahodí...
Tedy jak na to?
- Jděte IP > Firewal > Layer protocols
- Klikněte vytvořit nový. Pro Skype může vypadat třeba takto. (vzorek pro skype: ^..\x02.............)
- Když máte SKYPE vytvořený, jděte do IP > Firewall > Přidat pravidlo
- Rovnou se překlikněte do záložky Advanced
- V Layer 7 Protocol zvolte váš skype.
- Jděte do záložky Action, kde zvolíte starý známý Drop.
- OK a máte hotovo. Samozřejmě můžete nastavit pro který interface to platí, popř. pro kterou IP to platí. Nám to doma stačí takto...
Kde čerpat info?
- http://wiki.mikrotik.com/wiki/Drop_IM_Using_L7 - na našem příkladu jsme si ukázali jak na to. Mylím že není třeba delšího vysvětlování. Z tohoto návodu jsem čerpal já.
- http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7 - Detailní popis na wiki mikrotiku.
- http://l7-filter.sourceforge.net/protocols - Zde můžete čerpat další "vzorky".
Závěrem se sluší upozornit že na verzi 5.6 a nyní i 5.7 to prostě nefunguje. Snad je to jako logovaný problém... Proto používate-li toto pravidlo, neupgradovat Router OS!!! Nechat na 3.x nebo 4.x
- Přidat komentář
- 92409x přečteno
Komentáře
Tak ani router os 5.8
Tak ani router os 5.8 nejede... smula!
co je nového ve verzi 5.8 (2011-Nov-01):
*) snmp - fixed problem where some rows were missed in a few tables when walking them;
*) ipv6 - added support for router address assignment from ipv6 pools;
*) routerboard - fix RB400/RB700 bootloader upgrade problem
*) radius - respond to CoA & Disconnect requests with the same ip address it was received to;
*) improved webfig look;
*) webfig - do not allow to show secret passwords if user does not have sensitive permission;
*) webfig - allow to customize all item names in skins;
*) updated timezone information;
*) lcd - added support for new ax93304 model and nexcom LCDs;
*) ppp - added support for ipv6 pools;
*) ppp - added support for Framed-IPv6-Pool radius attribute;
*) dhcp client - fix high CPU usage when interface is disabled;
*) snmp - trap interface filter, multiple trap targets;
*) dhcp - added server support for IPv6 prefix delegation from /ipv6 pool, client support is also added; *) ipsec - support authorization with raw RSA keys;
*) added ipv6 prefix pools;
*) winbox - now copied item in ordered list is added right after it's original;
*) pcq - fixed possible crash;
Hot Fix Mikrotik Router OS v 5.8
hotfix - 5.9 zda se taky nic :(
*) ssh - fix memory leak when client uses public key authentication;
*) ppp - added support for new RADIUS attribute MT-Delegated-IPv6-Pool (#22);
*) ntp client - faster initial synchronization;
*) ppp - added support for dhcpv6 pd;
*) wireless - nv2 improvements for 11n cards;
*) hotspot - fixed login page to better handle big load;
*) wireless - change default rate-selection to advanced;
*) snmp - fixed simple queue table;
*) webfig - fixed problem were users without sensitive permission could download
sensitive files (like backups);
*) webfig - fixed problem were table filters did not work always as expected;
*) metarouter - fixed problem where local routeros instances did not boot;
*) dhcpv6 - client and server moved to respective /ipv6 dhcp- entry;
*) dhcpv6 server - changed how bindings are defined, users should add
missing static binding information after upgrade;
*) sms - send sms now uses channel from config if it's not specified in the command;
Mikroti hot fix 5.10 a 5.11
Sázej to kluci poslendí dobou jak brambory :)
*) hotspot - fixed https login (broken in v5.9);
*) eoip: swap tunnel id bytes to be compatible with previous versions;
*) eoip,gre: fix setting config
What's new in 5.10 (2011-Dec-09 11:49):
*) snmp - provide extended interface statistics when availabe;
*) dhcpv6 client - use link-scoped multicast address;
*) dhcp client - renew dhcp lease on ethernet link up event;
*) ipv6 gre tunnel added (/interface gre6) supports ip and ipv6 encapsulation;
*) ip gre tunnel supports ipv6 encapsulation;
*) allow setting bigger trafflow cache;
*) improved RB1200 stability when using ether9,ether10;
*) fixed RB1200 stability issues when using crypto hardware acceleration;
Mikrotik Hot fix 5.12
What's new in 5.12 (2012-Jan-19):
*) console - allow to specify blank interval on x86 screens;
*) console - changed 'password' command, now can be used from scripts and api;
*) winbox - reorganized window layout to match console better;
*) ssh - fixed interoperability problem with psftp based clients;
*) implemented simple SMB (windows file sharing) server;
*) fixed ovpn-client - client stopped working if it was enabled/disabled at wrong time;
*) fixed ipv6 - ipv6 neighbor discovery stopped working when interface arp setting wasn't set to enabled;
*) console - minor fixes and improvements;
*) console - added support for compact export;
*) hotspot - added login redirect through http status 302;
*) leds - added default configuration for R5SHPn wireless card;
*) ppp - fixed problem were remote-ipv6-prefix was not given to user if remote-ipv6-pool was provided;
*) winbox, webfig - sort ethernet interfaces properly when more than 10 exist;
*) added QuickSet to RBSXT, RB411, RB711;
*) user manager - command to create and assign user profile from console;
*) added support for LTE modems (cdc ethernet type);
*) fix gre tunnels on x86 and other little endian machines;
Mikrotik Hot fix 5.13, 5.14, 5.15, 5.16
Hot Fix Mikrotik Router OS v 5.16 Stable
*) webfig - fixed problem when new item addition to status page in design skin mode
did not work;
*) add pw-type option for BGP VPLS;
*) fixed mac telnet - sometimes did not work if more than one mac level path
to destination;
*) user - fixed problem when adding new users from console it's password was not set;
*) reset packet mark when encapsulating/decapsulating from eoip,ipip,gre,eoipv6,ipipv6,gre6 tunnels
*) Fixed issue where many connected clients to AP could stop passing traffic in some cases, which was introduced in Mikrotik OS Update v5.15
------------------------------
Hot Fix Mikrotik Router OS v 5.15 Stable
*) ssh - added option "/ip ssh always-allow-password-login" which will allow
password based login for users using public key;
*) snmp - moved disk oids shown in console from "/system resoure" to "/store disk";
*) certificate manager - added PKCS#8 support for key import;
*) lte - support for modems which utilize sierra_net driver with product ID 0x68a3,
serial interface is no longer accesable for those modems;
*) quickset - added AP mode;
*) smb - fixed authorization problems, shares should now be browsable;
*) dhcp client - revert NTP settings on dhcp client disable;
*) dhcp server - use DNS server from DHCP client (broken in v5.13);
*) sstp - made it working on Pentium 4 again;
*) added support for usb forwarding over tcp;
*) webfig - fixed uptime column in hotspot active users list (and other places as well) ;
*) webfig - hide design skin button if user does not have
sensitive & policy permissions;
*) webfig - do not allow to upload/download files
without write/read & ftp permisions;
*) webfig - fixed blank page when logout, undo, redo, hide-menu or safe-mode were hidden in skin,
*) winbox - show connection tracking max entries properly;
*) winbox - make interface name sorting more stable;
*) winbox - do not reset user password when changing it's properties;
*) rb1200 ether6,ether7,ether8 did not support big packets when linked at 10/100Mbps;
*) Fixed issue where many connected clients to AP could stop passing traffic in some cases, which was introduced in Mikrotik OS Update v5.15
--------------------------------------------
Hot Fix Mikrotik Router OS v 5.14 Stable,
*) winbox - fixed problem when changing main winbox window size and some of the inner windows
become hidden;
*) backup - backup file creation failed if router identity name had / in it;
*) wireless - improved nv2 link stability to reduce control frame timeouts,
only AP requires update;
*) fixed rare configuration retention problems on RB1100AHx2;
*) certificate manager - fixed building certificate trust chain which caused
certificate validation problems for some programs (VPN, SSTP etc)
when downgrading from this version to older version please run
"/certificate reset-certificate-cache" to maintain correct trust chain;
-------------------------------------------------
Hot Fix Mikrotik Router OS v 5.13 Stable
*) firewall - to-address can be specified as ip address with mask in addition to
ip range;
*) traffic-generator - fix crash on multicore systems;
*) smb - fixes and improvements;
*) sstp - added RC4 cipher support to fix interoperability issues
introduced in MS KB2585542 security update. from now on RC4 is the
preferred cipher and AES will be used only if peer does not advertise RC4;
*) dhcp client - revert DNS settings on dhcp client disable;
*) quickset - country & channel-width can now be specified;
*) quickset - added support for configuring pppoe client on wireless interface;
*) bridge - fixed problem where arp reply-only or disabled mode didn't work and
disabled bridge interfaces didn't have X flag;
*) webfig - fixed problem where none of table entries were shown if table filter
was left to 'all';
*) webfig - show login page if autologin fails;
*) user manager - don't store backups in active store, always use path relative to /;
ASK
If using L7 filtering, it need high resourse of routerboard?
Please visit back @ Jasa Setting Mikrotik
Přidat komentář