February 8, 2017 at 12:23Block file downloads by extension. Mikrotik RouterOS
Hi Habr! There is a lot of hardware and software that can filter traffic. In my case, this is the Mikrotik RB3011UiAS-RM. The task was as follows: to prohibit the download of certain file formats.
It seems to be a simple task, and quick google led to the decision to block connections through Layer7, because Web-Proxy works only with HTTP. And there were examples, but working as it should - did not work.
upd: the solution only works if a file request via HTTP is sent from the site’s HTTPS. ( iaon ) ( drsmoll )
As a result: The example with mp3-tut.net works , but with www.nasa.gov/connect/sounds/index.html it does not work .
So, the first link on Mikrotik Layer7 leads toWiki-Mikrotik .
And there we see that for Layer7 to work, you need to fill in the regular expression with which the router will operate. There is also a note about using POSIX-compatible regexp.
One of the first regexp options:
Does not work! Not all downloads are blocked, sometimes sites are blocked, in the name or in the query line of which there are extension characters.
Next, many sites from the first three pages of Google’s listings were checked. And I came to the conclusion - regexp should be picked.
Again Google and search. As a result, I came across wonderful sites:
http://web-sniffer.net/
https://regex101.com/
The first gives out what requests go to download the file. The second of this regexp matches matches.
As a result, I came to the following option:
Consider in detail:
The penultimate paragraph, with [^ a-zA-Z0-9] is used to allow non-control characters, for example: php.net/manual/ru/function.exec.php
The rule will apply only in the second case.
Yes, the GET line where there will be .extension. will drop. But in my case this is enough. Users did not complain. And you can supplement these rules as you like.
Next, for everything to work as it should, create rules for the Firewall:
upd: - instead of DROP, specify REJECT-TCP RESET. In this case, the browser receives the response “Connection reset”. Allows you to immediately refuse to load the page or frame that the rule worked on, which in turn will speed up the loading. (Thanks for the AcidVenom tip )
The AllowAll list contains IP addresses to which the rule does not apply.
Checking the set of regular expressions Layer7:
That's all!
It seems to be a simple task, and quick google led to the decision to block connections through Layer7, because Web-Proxy works only with HTTP. And there were examples, but working as it should - did not work.
upd: the solution only works if a file request via HTTP is sent from the site’s HTTPS. ( iaon ) ( drsmoll )
As a result: The example with mp3-tut.net works , but with www.nasa.gov/connect/sounds/index.html it does not work .
So, the first link on Mikrotik Layer7 leads toWiki-Mikrotik .
And there we see that for Layer7 to work, you need to fill in the regular expression with which the router will operate. There is also a note about using POSIX-compatible regexp.
One of the first regexp options:
^.+(exe|mp3|mpeg).*$Does not work! Not all downloads are blocked, sometimes sites are blocked, in the name or in the query line of which there are extension characters.
Next, many sites from the first three pages of Google’s listings were checked. And I came to the conclusion - regexp should be picked.
Again Google and search. As a result, I came across wonderful sites:
http://web-sniffer.net/
https://regex101.com/
The first gives out what requests go to download the file. The second of this regexp matches matches.
As a result, I came to the following option:
GET .*(\.exe|\.bat|\.reg|\.cmd|\.scr|\.vbs|\.vbs|\.ws|\.wsf|\.wsc|\.apk)[^a-zA-Z0-9].*HTTP.*\nConsider in detail:
- GET - the beginning of the line in which the request for something on example.com occurs
- . * - any number of characters
- (\ .exe | \ .bat | \ .reg | \ .cmd | \ .scr | \ .vbs | \ .vbs | \ .ws | \ .wsf | \ .wsc | \ .apk) - a list of what we are looking for
- . * - any number of characters
- [^ a-zA-Z0-9] - signs, ^ = NOT included in the set az, AZ, 0-9
- . * HTTP. * \ N - HTTP framed by any characters ( HTTP. * Optional), and \ n - line feed
The penultimate paragraph, with [^ a-zA-Z0-9] is used to allow non-control characters, for example: php.net/manual/ru/function.exec.php
Connect to 72.52.91.14 on port 80 ... ok
GET /manual/ru/function.exec.php HTTP/1.1
Host: php.netConnect to 72.52.91.14 on port 80 ... ok
GET /manual/ru/function.exe.php HTTP/1.1
Host: php.net
The rule will apply only in the second case.
Yes, the GET line where there will be .extension. will drop. But in my case this is enough. Users did not complain. And you can supplement these rules as you like.
Next, for everything to work as it should, create rules for the Firewall:
upd: - instead of DROP, specify REJECT-TCP RESET. In this case, the browser receives the response “Connection reset”. Allows you to immediately refuse to load the page or frame that the rule worked on, which in turn will speed up the loading. (Thanks for the AcidVenom tip )
The AllowAll list contains IP addresses to which the rule does not apply.
Checking the set of regular expressions Layer7:
That's all!