Using the layer 7 filters – instant messaging example

In this article, I will describe one functional use for the layer-7  filters that MikroTik offers.  This feature can be very useful if used with caution.  The main problem with L7 filters is that they require much more processor time than many of the firewall functions.  I am not saying this just to "scare" you away from using them, but you need to be aware of this issue.  The scripts in this article have been tested and DO work as written.  They are in no way complete, but they are certainly functional as posted. First things first.  I am only listing 5 specific protocols to match here.  You can find more of them at the Layer 7 project page.  If you look at the examples on that page and compare them with the regexp values here, you can see easily how to add more of these into your router.  You can also get some from Mikrotik's wiki, though it's been a while since I've seen this updated. Now, on with the tutorial.  The text below is a simple script that creates 4 new layer 7 filters.  What you are adding here is a list of filters that will allow you to use a "match" parameter in the "/ip firewall filter add" portion of your router configuration.  In other words, Mikrotik will, by default, allow you to match on things like "src-address" and "dst-address".   More on the match option below.
/ip firewall layer7-protocol
add name="YahooIM" regexp="^(ymsg|ypns|yhoo).\?.\?.\?.\?.\?.\?.\?[lwt].*\C0\80" comment="Yahoo Instant Messenger"
add name="MSNMESSENGER" regexp="ver [0-9]+ msnp[1-9][0-9]\? [\09-\0D -~]*cvr0\0D\0A\$|usr 1 [!-~]+ [0-9. ]+\0D\0A\$|ans 1 [!-~]+ [0-9. ]+\0D\0A\$" comment="MSN Messenger"
add name="AIM" regexp="^(\\*[\01\02].*\03\0B|\\*\01.\?.\?.\?.\?\01)|flapon|toc_signon.*0x" comment="AIM"
add name="IRC" regexp="^(nick[\09-\0D -~]*user[\09-\0D -~]*:|user[\09-\0D -~]*:[\02-\0D -~]*nick[\09-\0D -~]*\0D\0A)" comment="IRC Chat"
Now that we have added the protocol matchers, we can use them as a matcher in the firewall as follows:
/ip firewall filter
add chain=forward layer7-protocol="YahooIM" action=drop
add chain=forward layer7-protocol="MSNMESSENGER" action=drop
add chain=forward layer7-protocol="AIM" action=drop
add chain=forward layer7-protocol="IRC" action=drop
As you can see, this feature gives us the ability to easily create matchers for our firewall. This functionality comes at a cost, however. In order to utilize the layer 7 filters, your router is having to disassemble EVERY * PACKET * it encounters in order to see if it matches the filter. What this means in terms of usefulness, is that you want to put rules that will accept/drop other traffic ABOVE the layer 7 tests.  By adding these rules below other filter rules, you will eliminate the need for the router to inspect 100% of the traffic at layer 7.  One other approach is to use the mangle chain to create connection marks for the traffic and then just match on the connection mark in the filter table.  Either way, I recommend at least a 300MHz processor (Mikrotik's RB400 series will work fine) for a small number of tests or under relatively light packet load, such as you would find on an end user's CPE device.  My main "warning" here is to watch the CPU load both before and after you have added your rulesets.  ALSO, adding the layer7 protocol (the first section) does not increase CPU...it is the "test" or "matcher" in the second section that I am warning about. I hope this article has been helpful to you.  If it has, then please "DIGG  it"!

Leave a Reply

You must be logged in to post a comment.