Mikrotik - blokování Skype, Jabber, ICQ

Mikrotik L7 Layer7 protokolMinule jsme si ukázali několik způsobů, jak zablokovat Facebook. To ovšem nemusí někomu stačit. Někdo může chtít zakázat něco jiného. Před pár lety, než všichni BFU utekli z v Čechách nejoblíbenějšího kecacího protokolu ICQ by to byl právě tento protokol. Ten už to ale není. Ukážem si jak zablokovat skype a naznačíme si jak blokovat i další protokoly. P2T, Jabber, Bittoretn, SIP, nebo třeba TORa který je určen k anonymizaci...

Opět, využití je značně nedemokratické. Nicméně ve firemní síti, nebo v domácí síti, kde může být takový to provoz značně k obtíži, je na vás rozhodnutí.

Jak to vlastně funguje? Tak tedy ve zkratce. Až to nastavíte, tak si mikrotik načte prvních 10 paketů nebo první 2kb z komunikace a koukne se do nich, jestli tam nenajde vzor (který nastavíte v L7) zakázané komunikace. Poté když rozpozná, tak to prostě zahodí...

Tedy jak na to?

  1. Jděte IP > Firewal > Layer protocols
  2. Klikněte vytvořit nový. Pro Skype může vypadat třeba takto. (vzorek pro skype: ^..\x02.............)nastaveni firewall L7 Protocol
  3. Když máte SKYPE vytvořený, jděte do IP > Firewall > Přidat pravidlo
  4. Rovnou se překlikněte do záložky Advanced
  5. V Layer 7 Protocol zvolte váš skype.
  6. Jděte do záložky Action, kde zvolíte starý známý Drop.
  7. OK a máte hotovo. Samozřejmě můžete nastavit pro který interface to platí, popř. pro kterou IP to platí. Nám to doma stačí takto...

Kde čerpat info?

Závěrem se sluší upozornit že na verzi 5.6 a nyní i 5.7 to prostě nefunguje. Snad je to jako logovaný problém... Proto používate-li toto pravidlo, neupgradovat Router OS!!! Nechat na 3.x nebo 4.x

Komentáře

7
Obrázek uživatele Ládínek

Tak ani router os 5.8 nejede... smula!

co je nového ve verzi 5.8 (2011-Nov-01):
*) snmp - fixed problem where some rows were missed in a few tables when walking them;
*) ipv6 - added support for router address assignment from ipv6 pools;
*) routerboard - fix RB400/RB700 bootloader upgrade problem
*) radius - respond to CoA & Disconnect requests with the same ip address it was received to;
*) improved webfig look;
*) webfig - do not allow to show secret passwords if user does not have sensitive permission;
*) webfig - allow to customize all item names in skins;
*) updated timezone information;
*) lcd - added support for new ax93304 model and nexcom LCDs;
*) ppp - added support for ipv6 pools;
*) ppp - added support for Framed-IPv6-Pool radius attribute;
*) dhcp client - fix high CPU usage when interface is disabled;
*) snmp - trap interface filter, multiple trap targets;
*) dhcp - added server support for IPv6 prefix delegation from /ipv6 pool, client support is also added; *) ipsec - support authorization with raw RSA keys;
*) added ipv6 prefix pools;
*) winbox - now copied item in ordered list is added right after it's original;
*) pcq - fixed possible crash;  

Hot Fix Mikrotik Router OS v 5.8

Obrázek uživatele Ládínek

What's new in 5.9 (2011-Nov-29 14:32):

*) ssh - fix memory leak when client uses public key authentication;
*) ppp - added support for new RADIUS attribute MT-Delegated-IPv6-Pool (#22);
*) ntp client - faster initial synchronization;
*) ppp - added support for dhcpv6 pd;
*) wireless - nv2 improvements for 11n cards;
*) hotspot - fixed login page to better handle big load;
*) wireless - change default rate-selection to advanced;
*) snmp - fixed simple queue table;
*) webfig - fixed problem were users without sensitive permission could download
sensitive files (like backups);
*) webfig - fixed problem were table filters did not work always as expected;
*) metarouter - fixed problem where local routeros instances did not boot;
*) dhcpv6 - client and server moved to respective /ipv6 dhcp- entry;
*) dhcpv6 server - changed how bindings are defined, users should add
missing static binding information after upgrade;
*) sms - send sms now uses channel from config if it's not specified in the command;
Obrázek uživatele Ládínek

Sázej to kluci poslendí dobou jak brambory :)

*) hotspot - fixed https login (broken in v5.9);
*) eoip: swap tunnel id bytes to be compatible with previous versions;
*) eoip,gre: fix setting config

What's new in 5.10 (2011-Dec-09 11:49):

*) snmp - provide extended interface statistics when availabe;
*) dhcpv6 client - use link-scoped multicast address;
*) dhcp client - renew dhcp lease on ethernet link up event;
*) ipv6 gre tunnel added (/interface gre6) supports ip and ipv6 encapsulation;
*) ip gre tunnel supports ipv6 encapsulation;
*) allow setting bigger trafflow cache;
*) improved RB1200 stability when using ether9,ether10;
*) fixed RB1200 stability issues when using crypto hardware acceleration;

Obrázek uživatele Ládínek

What's new in 5.12 (2012-Jan-19):

*) console - allow to specify blank interval on x86 screens;
*) console - changed 'password' command, now can be used from scripts and api;
*) winbox - reorganized window layout to match console better;
*) ssh - fixed interoperability problem with psftp based clients;
*) implemented simple SMB (windows file sharing) server;
*) fixed ovpn-client - client stopped working if it was enabled/disabled at wrong time;
*) fixed ipv6 - ipv6 neighbor discovery stopped working when interface arp setting wasn't set to enabled;
*) console - minor fixes and improvements;
*) console - added support for compact export;
*) hotspot - added login redirect through http status 302;
*) leds - added default configuration for R5SHPn wireless card;
*) ppp - fixed problem were remote-ipv6-prefix was not given to user if remote-ipv6-pool was provided;
*) winbox, webfig - sort ethernet interfaces properly when more than 10 exist;
*) added QuickSet to RBSXT, RB411, RB711;
*) user manager - command to create and assign user profile from console;
*) added support for LTE modems (cdc ethernet type);
*) fix gre tunnels on x86 and other little endian machines;

Obrázek uživatele Ládínek

Hot Fix Mikrotik Router OS v 5.16 Stable

*) webfig - fixed problem when new item addition to status page in design skin mode
did not work;
*) add pw-type option for BGP VPLS;
*) fixed mac telnet - sometimes did not work if more than one mac level path
to destination;
*) user - fixed problem when adding new users from console it's password was not set;
*) reset packet mark when encapsulating/decapsulating from eoip,ipip,gre,eoipv6,ipipv6,gre6 tunnels
*) Fixed issue where many connected clients to AP could stop passing traffic in some cases, which was introduced in Mikrotik OS Update v5.15

------------------------------

Hot Fix Mikrotik Router OS v 5.15 Stable

*) ssh - added option "/ip ssh always-allow-password-login" which will allow
   password based login for users using public key;
*) snmp - moved disk oids shown in console from "/system resoure" to "/store disk";
*) certificate manager - added PKCS#8 support for key import;
*) lte - support for modems which utilize sierra_net driver with product ID 0x68a3,
   serial interface is no longer accesable for those modems;
*) quickset - added AP mode;
*) smb - fixed authorization problems, shares should now be browsable;
*) dhcp client - revert NTP settings on dhcp client disable;
*) dhcp server - use DNS server from DHCP client (broken in v5.13);
*) sstp - made it working on Pentium 4 again;
*) added support for usb forwarding over tcp;
*) webfig - fixed uptime column in hotspot active users list (and other places as well) ;
*) webfig - hide design skin button if user does not have
  sensitive & policy permissions;
*) webfig - do not allow to upload/download files
  without write/read & ftp permisions;
*) webfig - fixed blank page when logout, undo, redo, hide-menu or safe-mode were hidden in skin,
*) winbox - show connection tracking max entries properly;
*) winbox - make interface name sorting more stable;
*) winbox - do not reset user password when changing it's properties;
*) rb1200 ether6,ether7,ether8 did not support big packets when linked at 10/100Mbps;
*) Fixed issue where many connected clients to AP could stop passing traffic in some cases, which was introduced in Mikrotik OS Update v5.15

--------------------------------------------

Hot Fix Mikrotik Router OS v 5.14 Stable,

*) winbox - fixed problem when changing main winbox window size and some of the inner windows
   become hidden;
*) backup - backup file creation failed if router identity name had / in it;
*) wireless - improved nv2 link stability to reduce control frame timeouts,
    only AP requires update;
*) fixed rare configuration retention problems on RB1100AHx2;
*) certificate manager - fixed building certificate trust chain which caused
    certificate validation problems for some programs (VPN, SSTP etc)
    when downgrading from this version to older version please run
    "/certificate reset-certificate-cache" to maintain correct trust chain;

-------------------------------------------------

Hot Fix Mikrotik Router OS v 5.13 Stable

*) firewall - to-address can be specified as ip address with mask in addition to
ip range;
*) traffic-generator - fix crash on multicore systems;
*) smb - fixes and improvements;
*) sstp - added RC4 cipher support to fix interoperability issues
introduced in MS KB2585542 security update. from now on RC4 is the
preferred cipher and AES will be used only if peer does not advertise RC4;
*) dhcp client - revert DNS settings on dhcp client disable;
*) quickset - country & channel-width can now be specified;
*) quickset - added support for configuring pppoe client on wireless interface;
*) bridge - fixed problem where arp reply-only or disabled mode didn't work and
disabled bridge interfaces didn't have X flag;
*) webfig - fixed problem where none of table entries were shown if table filter
was left to 'all';
*) webfig - show login page if autologin fails;
*) user manager - don't store backups in active store, always use path relative to /;

Obrázek uživatele Mikocok

If using L7 filtering, it need high resourse of routerboard? 

Please visit back @ Jasa Setting Mikrotik

Obrázek uživatele yaoxuemei

mbt outlet

cheap snapbacks

michael kors handbags

uggs outlet

michael kors outlet online

mcm backpack

uggs outlet

michael kors outlet

longchamp handbags

nike trainers

nike outlet

coach outlet

fitflops sale clearance

michael kors handbags

kate spade handbags

ugg canada

canada goose outlet

ralph lauren uk

fitflops sale clearance

louis vuitton outlet

mont blanc outlet

michael kors outlet clearance

ralph lauren outlet

adidas nmd r1

kate spade handbags

mulberry bags

pandora jewelry

nike outlet store

yeezy boost

coach outlet online

michael kors outlet online

michael kors outlet

ferragamo shoes sale

nhl jerseys wholesale

tory burch outlet

oakley sunglasses wholesale

oakley sunglasses wholesale

ugg boots on sale

christian louboutin outlet

true religion outlet

valentino outlet store

kate spade outlet

michael kors outlet

yeezy boost 350

nhl jerseys for sale

coach factory outlet

adidas nmd r2

pandora

louis vuitton outlet

michael kors outlet clearance

michael kors purses

canada goose outlet

christian louboutin

christian louboutin shoes

michael kors outlet online

coach factory outlet

fred perry polo shirts

nike shoes

lunette ray ban

valentino outlet

pandora charms

canada goose

coach outlet

coach outlet

mulberry sale

cheap nfl jerseys

uggs outlet

pandora jewelry

polo ralph lauren

michael kors outlet clearance

polo ralph lauren

michael kors handbags

longchamp outlet online

coach outlet store online

ugg boots

polo ralph lauren

coach outlet

cheap jordans

cheap nfl jerseys

coach outlet

coach outlet

oakley sunglasses wholesale

michael kors outlet

canada goose

kate spade outlet online

coach canada

pandora jewelry

canada goose outlet

fitflop sandals

prada outlet online

pandora charms

coach outlet

canada goose jackets

michael kors outlet

pandora outlet

nike air jordan 4

longchamp bags

clarks shoes

michael kors outlet

lacoste shirts

coach outlet store online

coach outlet store online

lacoste outlet

pandora outlet

coach outlet online

ralph lauren outlet

mulberry uk

mbt shoes outlet

polo pas cher

true religion jeans sale

pandora jewelry

rolex watch

michael kors outlet clearance

pandora charms sale clearance

fred perry outlet

nike factory store

longchamp outlet

coach outlet online

pandora outlet

ed hardy clothing

ugg outlet

michael kors handbags sale

oakley sunglasses

oakley sunglasses wholesale

coach outlet

ray ban outlet

adidas nmd

nike shoes

ugg boots

clarks outlet

ray ban pas cher

coach factory outlet

coach outlet

polo ralph lauren

pandora outlet online

coach outlet online

michael kors outlet online

coach outlet online

cheap ray bans

christian louboutin uk

coach outlet

cheap oakley sunglasses

fred perry shirts

ray ban sunglasses

michael kors outlet online

pandora charms

canada goose coats

yeezy boost 350 v2

fred perry polo

adidas outlet

pandora

cheap ray ban sunglasses

kate spade outlet online

polo shirts

louboutin outlet

canada goose jackets

canada goose outlet store

coach outlet online

pandora charms

ugg,uggs,uggs canada

canada goose outlet store

cheap oakley sunglasses

canada goose outlet online

supreme

cheap nfl jerseys

canada goose

ralph lauren uk

michael kors outlet store

polo outlet

pandora outlet

adidas nmd shoes

moncler jackets

pandora outlet

ralph lauren

michael kors outlet

snapbacks wholesale

michael kors outlet clearance

christian louboutin

coach outlet

ferragamo outlet store

mlb jerseys

michael kors outlet

polo outlet

canada goose outlet

uggs outlet

louis vuitton purses

coach outlet online

polo shirts

ray ban sunglasses

birkenstock outlet

canada goose outlet

fitflops outlet

pandora charms

coach factory outlet

michael kors outlet

coach outlet online

ray ban sunglasses outlet

pandora outlet

nike outlet

ugg boots

yaoxuemei20180515

Přidat komentář