La tls-host option in MikroTik RouterOS is a firewall feature that allows TLS traffic to be filtered based on the domain name of the server it is directed to.
This can be useful for blocking access to malicious or unwanted websites, or for controlling the flow of traffic on your network.
At the end of the article you will find a small test that will allow you assess the knowledge acquired in this reading
However, it is important to note that using tls-host has some limitations and precautions:
Limitations
- Only works with TLS traffic: It does not affect HTTP traffic or any other protocol other than TLS.
- Requires domain name resolution: The firewall needs to resolve the server's domain name in order to apply the rule. If resolution fails, traffic could pass through unfiltered.
- May be vulnerable to bypass attacks: Attackers can use techniques to hide the server's real domain name, making the tls-host rule ineffective.
- Disable hardware download: When using tls-host, hardware offloading for processing TLS packets is disabled, which can decrease network performance.
Precautions
- Don't block legitimate websites: Make sure tls-host rules don't accidentally block websites your users need.
- Be careful with wildcards: Avoid using wildcards in tls-host rules, as this could block more traffic than you want.
- Keep MikroTik updated: Make sure your MikroTik RouterOS is updated with the latest security patches to avoid vulnerabilities.
Alternatives
- IP based filters: You can filter traffic based on the server's IP address, which can be more effective in some cases.
- Using access lists: You can use access lists to specify which servers or domains are allowed or blocked.
- Implementation of a web proxy: A web proxy can filter the content of web pages and block access to malicious websites.
The tls-host option can be a useful tool for filtering TLS traffic in MikroTik RouterOS, but it is important to use it with caution and be aware of its limitations.
Consider alternatives and follow appropriate security practices to protect your network effectively.
Most websites now use https and blocking https websites is much more difficult with MikroTik RouterOS version lower than 6.41. But starting with RouterOS v6.41, MikroTik Firewall introduces a new property called TLS Hos t which is able to match https websites very easily.
Therefore, blocking https websites like Facebook, YouTube, etc. It can be easily done with MikroTik Router if the RouterOS version is higher than 6.41.
Filtering based on host names
You can use “tls-host” in firewall rules to filter traffic based on hostnames instead of IP addresses. This can be beneficial if the IP addresses of the servers you communicate with are prone to changing and you prefer to use hostnames that remain constant.
/ip firewall filter add chain=forward dst-port=443 protocol=tcp tls-host=example.com action=accept
In this example, the rule will allow outbound TLS traffic to port 443 destined for “example.com.”
Certificate and hostname management
By using the “tls-host” option, you can make it easier to manage SSL/TLS certificates on your network. If the certificates change or are renewed and the hostname remains the same, you will not need to update the firewall rules with new IP addresses.
Reducing dependency on fixed IP addresses
In some cases, especially when interacting with cloud-hosted services or with service providers that may change assigned IP addresses, using “tls-host” provides an abstraction layer that reduces reliance on fixed IP addresses.
/ip firewall filter add chain=forward dst-port=8443 protocol=tcp tls-host=cloud-service.com action=accept
Here, outgoing TLS traffic to port 8443 destined for “cloud-service.com” will be allowed regardless of the current IP address of the service.
It is important to note that for the “tls-host” option to be effective, the remote service must support the use of host names instead of IP addresses. Not all services or applications allow this flexibility, so it is crucial to review the documentation for the specific service you are using.
How to Block HTTPS Websites with TLS Host Matcher
- Go to the IP > Firewall menu item and click the Filtering Rules tab and then click the PLUS SIGN (+). The New Firewall Rule window appears.
- Choose forward from the String drop-down menu.
- Choose tcp from the Protocol drop-down menu.
- Click Dst. Port and port entry box 443.
- Click on the Advanced tab and click on the TLS Host input box and put the domain name you want to block (such as *.facebook.com) in this box.
- Click the Action tab and choose drop from the Action drop-down menu.
- Click Apply and the OK button.
Firewall rule by Command
/ip firewall filter add chain=forward dst-port=443 protocol=tcp tls-host=*.facebook.com action=drop
Brief knowledge quiz
What do you think of this article?
Do you dare to evaluate your learned knowledge?
Recommended book for this article
RouterOS v7 Advanced Security Book
Study material for the MTCSE Certification Course, updated to RouterOS v7
Related Posts
- MikroTik IPSec: Choose between Tunnel Mode and Transport Mode for VPN
- ICMP filter in a MikroTik Firewall
- Between Stateful and Stateless: Mastering the MikroTik Firewall
- MikroTik and Wireless Authentication: Understanding 'Allow Shared Key'
- HSRP, VRRP, GLBP: Understanding Key Protocols for Network Redundancy