[ previous ] [ next ] [ threads ]
 
 From:  Radek Krupa <aeon at ultra dot cto dot us dot edu dot pl>
 To:  Rob Kruit <rob dot kruit at quicknet dot nl>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] layer 7 integration
 Date:  Sat, 12 Mar 2005 17:16:59 +0100
I think it's easier than you think.
Linux guys have such a solution.
You can find further info here:
http://l7-filter.sourceforge.net/
http://oofle.com/
http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html
http://www.netintact.com/

But I doubt it will run on WRAP or Soekris. Layer7  is more cpu power hungry
than just port checking.

Layer7 filtering was what made me to put my linux router in da network again.
I'm using htb, esfq, ipp2p to fully controll user bandwidth. And they use p2p
very often :(
I wasn't able to set up needed shaping on m0n0, used here for many, many months.
My linux is working great but I'm missing m0n0's webGUI and easy of use, and
many, many more nice features.

It will be great to implement similar l7 control in *bsd/m0n0 (well, maybe there
is such a project, but I'm unaware of it).

Port based traffic shaping is simply not an option when ppl are using p2p
application that can run on any port, including 21, 80, 443 and so on.

AeoN

> I think this would every hard to do, if not impossible. Letting it
> operate on layer 7 would require it to be an application level firewall
> like many desktop firewalls and to provide such functionality it's
> required to run on the client pc on which the applications are running
> you wish to block/filter or like Microsoft ISA server running a firewall
> client on the client PC's. This would mean there has to be a piece of
> client software running on the client pc's authenticating the local
> users against the firewalls user database and then monitoring those p2p
> applications locally for what ports they use which is then be send to
> the firewall which would dynamically filter these ports. Doing this
> would be extremely difficult and I don't think it's gonna be in any next
> versions of mono wall.
> Another option is using the p2p wizard in mono wall's traffic shaping
> options or simply set bandwidth limits and low priority's on connections
> to and from any port except connections to port 80, 21 and 110. This
> would permit them to use http, ftp and mail traffic on full speed but
> any other traffic is limited.
>
> Regards,
>
> Rob Kruit
>
> Brian Morton wrote:
>
> > I was thinking today about how great it would be to be able to keep my
> > roommates from just changing their port #s to get around my traffic
> > shaping, and then it hit me, that the layer 7 traffic shaper would be
> > better suited to the purpose of the m0n0wall traffic shaper than a
> > port based system.  What is the possibility of getting this integrated
> > into m0n0?  I know very very little about FreeBSD or if this is even
> > possible, but just wanted to throw it out there and see what you guys
> > thought.
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>




----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.