[ previous ] [ next ] [ threads ]
 
 From:  "Rob Kruit" <rob dot kruit at quicknet dot nl>
 To:  "'Radek Krupa'" <aeon at ultra dot cto dot us dot edu dot pl>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] layer 7 integration
 Date:  Sat, 12 Mar 2005 17:31:52 +0100
Sounds really great unfortunately I do not have enough experience to
implement such a solution with Linux. The port filtering solution I provided
actually is very effective as it blocks any outgoing connections from the
client to ports other than 21,80 and 110 it would not allow anyone to
download from the client pc and it would not allow the client to make any
outgoing connections to port other then 80, 21 and 110 effectively blocking
about 99% of the p2p downloads since only a few people have their p2p client
running on one of those ports. This is a solution that is used with many
commercial firewall (only open what you have to use) and has proven very
effective. However it also greatly reduces the flexibility of your internet
connection. But if m0n0wall is ever going to support packet content matching
I will definitely going to use it!

Rob


-----Oorspronkelijk bericht-----
Van: Radek Krupa [mailto:aeon at ultra dot cto dot us dot edu dot pl] 
Verzonden: zaterdag 12 maart 2005 17:17
Aan: Rob Kruit
CC: m0n0wall at lists dot m0n0 dot ch
Onderwerp: Re: [m0n0wall] layer 7 integration


I think it's easier than you think.
Linux guys have such a solution.
You can find further info here:
http://l7-filter.sourceforge.net/
http://oofle.com/
http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html
http://www.netintact.com/

But I doubt it will run on WRAP or Soekris. Layer7  is more cpu power hungry
than just port checking.

Layer7 filtering was what made me to put my linux router in da network
again.
I'm using htb, esfq, ipp2p to fully controll user bandwidth. And they use
p2p
very often :(
I wasn't able to set up needed shaping on m0n0, used here for many, many
months.
My linux is working great but I'm missing m0n0's webGUI and easy of use, and
many, many more nice features.

It will be great to implement similar l7 control in *bsd/m0n0 (well, maybe
there
is such a project, but I'm unaware of it).

Port based traffic shaping is simply not an option when ppl are using p2p
application that can run on any port, including 21, 80, 443 and so on.

AeoN

> I think this would every hard to do, if not impossible. Letting it
> operate on layer 7 would require it to be an application level firewall
> like many desktop firewalls and to provide such functionality it's
> required to run on the client pc on which the applications are running
> you wish to block/filter or like Microsoft ISA server running a firewall
> client on the client PC's. This would mean there has to be a piece of
> client software running on the client pc's authenticating the local
> users against the firewalls user database and then monitoring those p2p
> applications locally for what ports they use which is then be send to
> the firewall which would dynamically filter these ports. Doing this
> would be extremely difficult and I don't think it's gonna be in any next
> versions of mono wall.
> Another option is using the p2p wizard in mono wall's traffic shaping
> options or simply set bandwidth limits and low priority's on connections
> to and from any port except connections to port 80, 21 and 110. This
> would permit them to use http, ftp and mail traffic on full speed but
> any other traffic is limited.
>
> Regards,
>
> Rob Kruit
>
> Brian Morton wrote:
>
> > I was thinking today about how great it would be to be able to keep my
> > roommates from just changing their port #s to get around my traffic
> > shaping, and then it hit me, that the layer 7 traffic shaper would be
> > better suited to the purpose of the m0n0wall traffic shaper than a
> > port based system.  What is the possibility of getting this integrated
> > into m0n0?  I know very very little about FreeBSD or if this is even
> > possible, but just wanted to throw it out there and see what you guys
> > thought.
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>




----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch