[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf with any l7 patches or ability?

Yes, I agree that l7 filtering is a hyped term. My original pitch to accomplish my goal (internet in apartments/dorms with traffic control) was to use netflow data, some perl, and rate-limit commands/ACLs on the cisco site border routers. Basically my own version of a guy I work with on occasions dorm concept, available here: http://www.ncne.org/training/techs/2001/0128/presentations/200101- kline1_files/v3_document.htm I've done this in the past and it works very, very well. The intended goal being users that have their file sharing programs (or whatever) pushing data at tremendous rates (and more or less ruining the experience for regular users) get put into a group that has to share about 128k of bandwidth. The problem I ran into is that none of them got the equipment I recommended, so now I have to look at bad ways to do something already convoluted. Currently there are OpenBSD boxes at each site generating netflow data with softflowd as well as top transfers via ipfm and using altq to do some QoS. As of now I have some perl glue that looks at top users and adds them to a table with the lowest priority. I love the pf code, you guys do a top notch job, you do something and do it well. Tonight I have been working on getting snort installed and putzing with hogwash. Once again the smart people on this list have pointed me in a new direction that I think will be very, very helpful for me. Thanks again for a great tool.

On Nov 6, 2003, at 5:03 AM, Henning Brauer wrote:

l7 filtering is basically just a buzzword.
you have it since years - it's called "proxy".
what they mean by the new buzzword is integrating the config, and
perhaps doing this in kernel land.
to get an idea why l7 stuff in kernel is a bad bad bad bad idea, look
at ipf - search bugtraq for the problems it had with its in-kernel
or look at netfilter, they've just been bitten by their in-kernel
"connection tracking" for ftp and irc as well. bugtraq is your friend
here too ;-)
I don't believe paketeer or anything else is doing any better. it's
simply a design fault.

On Wed, Nov 05, 2003 at 10:05:36PM -0600, Nick Buraglio wrote:
I don't necessarily disagree. I had a feeling I was chasing a ghost,
but I have a need for a packeteer-ish appliance without the price. The
reason I was looking at openbsd was that I like the bridge code. It
works well, it's not hard to configure and best of all pf is there.
The real problem is that in the locations I need to put these
theoretical devices the owners are too cheap to buy good equipment that
could perform the job so I search for a hack to do a similar job.
worst case is that I use linux with the l7 patches. I'd just prefer to
use a BSD, not necessarily pf, I figured that people on this list may
have some idea.

Thanks again.


On Nov 5, 2003, at 7:51 PM, Laurent Cheylus wrote:


Quoting Nick Buraglio <[email protected]>:

I'm looking for anyone that knows of a bsd project that does something
similar to to the Linux Layer 7 filter project. Details found here:
http://l7-filter.sourceforge.net/ I'm more or less hoping that
has a *BSD project that can classify packets based on application data
in the connections they belong to or that there is a patch for pf to
this. Is there anything in the works that anyone knows of?

If you read the recent archives of ths list, you could see that
'official' PF
devs (Daniel, Henning) don't want work on data payload inspection (bad
performances to do things like that in kernel space....).

In my opinion, classify packets based on application data is a (very)
bad idea
for security. If you decide to block or accept packet with rule only
based on
app data and a too simple grammar for classification, it's too easy to
fake your

I don't really want to block or pass, just shape.

Exemple :
- pass in on $EXT from any to POP3_SERVER app POP3 ('app' is a new
keyword for
classification based on app data)
- the grammar for POP3 protocol of L7-filter project
- by sending a packet with payload 'pop3', your packet is accepted
even if it's
not a packet for POP3 exchange

A++ Foxy

Laurent Cheylus <[email protected]> OpenPGP ID 0x5B766EC2

Henning Brauer, BS Web Services, http://bsws.de
[email protected] - [email protected]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)