[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf with any l7 patches or ability?
Yes, I agree that l7 filtering is a hyped term. My original pitch to
accomplish my goal (internet in apartments/dorms with traffic control)
was to use netflow data, some perl, and rate-limit commands/ACLs on the
cisco site border routers. Basically my own version of a guy I work
with on occasions dorm concept, available here:
kline1_files/v3_document.htm I've done this in the past and it works
very, very well. The intended goal being users that have their file
sharing programs (or whatever) pushing data at tremendous rates (and
more or less ruining the experience for regular users) get put into a
group that has to share about 128k of bandwidth. The problem I ran
into is that none of them got the equipment I recommended, so now I
have to look at bad ways to do something already convoluted. Currently
there are OpenBSD boxes at each site generating netflow data with
softflowd as well as top transfers via ipfm and using altq to do some
QoS. As of now I have some perl glue that looks at top users and adds
them to a table with the lowest priority. I love the pf code, you
guys do a top notch job, you do something and do it well. Tonight I
have been working on getting snort installed and putzing with hogwash.
Once again the smart people on this list have pointed me in a new
direction that I think will be very, very helpful for me. Thanks again
for a great tool.
On Nov 6, 2003, at 5:03 AM, Henning Brauer wrote:
l7 filtering is basically just a buzzword.
you have it since years - it's called "proxy".
what they mean by the new buzzword is integrating the config, and
perhaps doing this in kernel land.
to get an idea why l7 stuff in kernel is a bad bad bad bad idea, look
at ipf - search bugtraq for the problems it had with its in-kernel
or look at netfilter, they've just been bitten by their in-kernel
"connection tracking" for ftp and irc as well. bugtraq is your friend
here too ;-)
I don't believe paketeer or anything else is doing any better. it's
simply a design fault.
On Wed, Nov 05, 2003 at 10:05:36PM -0600, Nick Buraglio wrote:
I don't necessarily disagree. I had a feeling I was chasing a ghost,
but I have a need for a packeteer-ish appliance without the price.
reason I was looking at openbsd was that I like the bridge code. It
works well, it's not hard to configure and best of all pf is there.
The real problem is that in the locations I need to put these
theoretical devices the owners are too cheap to buy good equipment
could perform the job so I search for a hack to do a similar job.
worst case is that I use linux with the l7 patches. I'd just prefer to
use a BSD, not necessarily pf, I figured that people on this list may
have some idea.
On Nov 5, 2003, at 7:51 PM, Laurent Cheylus wrote:
Hi,I don't really want to block or pass, just shape.
Quoting Nick Buraglio <[email protected]>:
I'm looking for anyone that knows of a bsd project that does
similar to to the Linux Layer 7 filter project. Details found here:
http://l7-filter.sourceforge.net/ I'm more or less hoping that
has a *BSD project that can classify packets based on application
in the connections they belong to or that there is a patch for pf to
this. Is there anything in the works that anyone knows of?
If you read the recent archives of ths list, you could see that
devs (Daniel, Henning) don't want work on data payload inspection
performances to do things like that in kernel space....).
In my opinion, classify packets based on application data is a (very)
for security. If you decide to block or accept packet with rule only
app data and a too simple grammar for classification, it's too easy
- pass in on $EXT from any to POP3_SERVER app POP3 ('app' is a new
classification based on app data)
- the grammar for POP3 protocol of L7-filter project
- by sending a packet with payload 'pop3', your packet is accepted
even if it's
not a packet for POP3 exchange
Laurent Cheylus <[email protected]> OpenPGP ID 0x5B766EC2
Henning Brauer, BS Web Services, http://bsws.de
[email protected] - [email protected]
Unix is very simple, but it takes a genius to understand the