From: Mgr. M. J. <mai...@vc...> - 2007-07-26 06:08:53
|
Hi. Try to download testing version 1.2.14. Some time before I already announce this problem and Heiko solved it by making a new version where these libraries was presented. You can downloaded it from here: ftp://ftp.devil-linux.org/pub/devel/testing/ (libipt_ipp2p.so and libipt_layer7.so are in directory /usr/lib/iptables) BTW: Has anybody any experiences with layer7 in DL? I made one simple firewall rule which should block rtsp protocol and this rule blocks nothing and content of the packets sends to the syslog ? Does anybody know why ? This is the rule: $IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto rtsp -j DROP Jiri Motycka Fred Frigerio napsal(a): > OK, I think I know what the problem is but I am not sure how to fix it. > The iptables module ipp2p is there but it looks like the shared library > that needs to go in the /var/lib/iptables is missing. I was able to > modprobe for the ipt_ipp2p.o module ok but when I try iptables -m ipp2p > --help I get an error about a missing library. > > Looking at the ipp2p homepage, it seems that needs to be copied to the > /var/lib/iptables directory after compiling. > > http://www.ipp2p.org/docu_en.html > > > Fred Frigerio > Locust USA > > This electronic message transmission contains information from Locust > USA which may be confidential or privileged. The information is > intended to be for the use of the individual or entity named above. If > you are not the intended recipient, be aware that any disclosure, > copying, distribution or use of the contents of this information is > prohibited. If you have received this electronic transmission in error, > please notify us by telephone (305-889-5410) or by reply via electronic > mail immediately. > > -----Original Message----- > From: dev...@li... > [mailto:dev...@li...] On Behalf Of > Fred Frigerio > Sent: Wednesday, July 25, 2007 4:38 PM > To: dev...@li... > Subject: [Devil-Linux-discuss] P2p traffic filtering > > I am trying to filter p2p traffic at the firewall. Does DL contain any > iptables module that does that? If not has anyone done it? Would you > share your solution? > > I appreciate your help. > > Fred F. |
From: Mgr. M. J. <mai...@vc...> - 2007-07-30 13:35:36
|
Thank you for your hint. I tried this: iptables -I FORWARD -m layer7 --l7proto http ip_conntrack was loaded, part of lsmod: ipt_layer7 10496 1 (autoclean) iptable_nat 18014 1 (autoclean) ipt_state 504 10 (autoclean) ip_conntrack 21568 0 (autoclean) [ipt_layer7 iptable_nat ipt_state] iptable_filter 1644 1 (autoclean) ipt_LOG 3512 18 (autoclean) ipt_limit 920 18 (autoclean) iptable_mangle 2072 1 (autoclean) ip_tables 13088 9 [ipt_layer7 iptable_nat ipt_state iptable_filter ipt_LOG ipt_limit iptable_mangle] .... And this layer7 rule started to catch packets: 8070 6076607 0 -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto http but my syslog started to fill up with some strange errors and packet lists like this: Jul 30 14:19:27 aaa@Devil kernel: layer7: regexec positive: http! Jul 30 14:19:27 aaa@Devil kernel: Jul 30 14:19:27 aaa@Devil kernel: l7-filter gave up after 625 bytes (11 packets): Jul 30 14:19:27 aaa@Devil kernel: ..@.. edebfaenebfccacacacacacacacacaad .. .......(oe`........(o.. ..l ...@.. edebfaenebfccacacacacacacacacaad .. .......(o..@.. edebfaenebfccacacacacacacacacaad .. .......(oe`g.......(o.. ..l ...@.. edebfaenebfccacacacacacacacacaad .. .......(o..@.. edebfaenebfccacacacacacacacacaad .. .......(oe`q.......(o.. ..l ...@.. edebfaenebfccacacacacacacacacaad .. .......(o..@.. faeddbdbdadadhdidhddcacacacacaad .. .......(oe`.... ...(o.. ..l....@.. faeddbdbdadadhdidhddcacacacacaad .. .......(o..@.. faeddbdbdadadhdidhddcacacacacaad .. .......(oe`........(o.. ..l....@.. faeddbdbdadadhdidhddcacacacacaad .. .......(o Isn't here (in layer7 kernel module) swithed on some debuging? What does the message "l7-filter gave up after XXX bytes (YY packets)" means? Does anybody knows ? Jiri Motycka Serge Leschinsky napsal(a): > Hi, > > Mgr. Motycka Jiri wrote: > > >> BTW: Has anybody any experiences with layer7 in DL? >> > Yes. I used it some time ago - with ver. 1.2.9 > > >> I made one simple firewall rule which should block rtsp protocol and >> this rule blocks nothing and content of the packets sends to the syslog ? >> Does anybody know why ? >> >> This is the rule: >> $IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto rtsp -j DROP >> > One thing was unexpected for me - it's ip_conntrack module. It should be loaded. > > So, you can check the l7-filter functionality by executing the command > iptables -A OUTPUT -m layer7 --l7proto http > and checking the counters (iptables -nvL) after downloading. As I said before, > don't omit ip_conntrack module loading please. > > -- > Serge Leschinsky > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > |
From: Serge L. <fi...@in...> - 2007-07-31 10:34:47
|
Hi, Mgr. Motycka Jiri wrote: ... > but my syslog started to fill up with some strange errors and packet > lists like this: > > Jul 30 14:19:27 aaa@Devil kernel: layer7: regexec positive: http! > Jul 30 14:19:27 aaa@Devil kernel: > Jul 30 14:19:27 aaa@Devil kernel: l7-filter gave up after 625 bytes (11 > packets): .... > Isn't here (in layer7 kernel module) swithed on some debuging? Yes, obviously layer7 kernel module is compiled with debug. I guess we have to disable this. > What does the message "l7-filter gave up after XXX bytes (YY packets)" > means? > Does anybody knows ? It means that filter was able to classify traffic only after 11 packets ( 625 bytes) had been captured. Since l7-filter functionality is based on traffic inspection it's unable to classify one immediately - only after some preprocessing. So exactly this kernel module writes to log. -- Serge Leschinsky |
From: Jan H. P. <jh...@jh...> - 2007-07-28 10:34:49
|
Mgr. Motycka Jiri wrote: > Hi. > > Try to download testing version 1.2.14. Some time before I already > announce this problem and Heiko solved it by making a new version where > these libraries was presented. You can downloaded it from here: > ftp://ftp.devil-linux.org/pub/devel/testing/ > > (libipt_ipp2p.so and libipt_layer7.so are in directory /usr/lib/iptables) > > BTW: Has anybody any experiences with layer7 in DL? > I made one simple firewall rule which should block rtsp protocol and > this rule blocks nothing and content of the packets sends to the syslog ? > Does anybody know why ? > > This is the rule: > $IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto rtsp -j DROP > > Jiri Motycka > > > Yesterday evening I tried some rules on my firewall (DL 1.3.4) but I constantly get the following error: root@Devil:~ # iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j ACCEPT iptables: No chain/target/match by that name The l7 stuff is selected in make menuconfig and iptables seems to have the support for it, but I got the idea that there are some kernel modules missing or something. I expected some layer7 kernel modules but there is none in /lib/modules. This is as far as I have come with this. By the way, is it possible / easy to make a custom kernel config? What are the steps that I should take to make this happen? I suppose that I should take a kernel tree and do a make menuconfig and put the resulting config file in some special place or something? What patches are by default patched into the kernel tree before starting the build? Greetings, Jan Hugo Prins |
From: Fred F. <ffr...@lo...> - 2007-07-28 12:15:42
|
Did you download the newer version? Did you check un /usr/lib/iptables for the shared library file? I haven't had a chance to do that yet. The easiest way to check to see if things are there is to do iptables -m layer7 --help which should give you help if the module is there and a descriptive error of what is not working if it isn't. The kernel module is ipt_layer7 which is under kernel/net/netfilter (from memory so I may be missing something). > Hi. > > Try to download testing version 1.2.14. Some time before I already=20 > announce this problem and Heiko solved it by making a new version=20 > where these libraries was presented. You can downloaded it from here: > ftp://ftp.devil-linux.org/pub/devel/testing/ > > (libipt_ipp2p.so and libipt_layer7.so are in directory=20 > /usr/lib/iptables) > > BTW: Has anybody any experiences with layer7 in DL? > I made one simple firewall rule which should block rtsp protocol and=20 > this rule blocks nothing and content of the packets sends to the syslog ? > Does anybody know why ? > > This is the rule: > $IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto rtsp -j DROP > > Jiri Motycka > > > =20 Yesterday evening I tried some rules on my firewall (DL 1.3.4) but I constantly get the following error: root@Devil:~ # iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j ACCEPT iptables: No chain/target/match by that name The l7 stuff is selected in make menuconfig and iptables seems to have the support for it, but I got the idea that there are some kernel modules missing or something. I expected some layer7 kernel modules but there is none in /lib/modules. This is as far as I have come with this. By the way, is it possible / easy to make a custom kernel config? What are the steps that I should take to make this happen? I suppose that I should take a kernel tree and do a make menuconfig and put the resulting config file in some special place or something? What patches are by default patched into the kernel tree before starting the build? Greetings, Jan Hugo Prins ------------------------------------------------------------------------ - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Devil-linux-discuss mailing list Dev...@li... https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss |
From: Serge L. <fi...@in...> - 2007-07-30 10:55:38
|
Hi, Fred Frigerio wrote: > Yesterday evening I tried some rules on my firewall (DL 1.3.4) but I > constantly get the following error: > > root@Devil:~ # iptables -t mangle -A POSTROUTING -m layer7 --l7proto > http -j ACCEPT > iptables: No chain/target/match by that name > > The l7 stuff is selected in make menuconfig and iptables seems to have > the support for it, but I got the idea that there are some kernel > modules missing or something. > I expected some layer7 kernel modules but there is none in /lib/modules. Thank you for the report. I'm afraid l7 is broken in 1.3.4 because I've got the same result. I've started custom build to check it and hopefully it will be fixed and ready for download by Tuesday. -- Serge Leschinsky |
From: Jan H. P. <jh...@jh...> - 2007-07-31 07:31:35
|
Serge Leschinsky wrote: > Hi, > > Fred Frigerio wrote: > > >> Yesterday evening I tried some rules on my firewall (DL 1.3.4) but I >> constantly get the following error: >> >> root@Devil:~ # iptables -t mangle -A POSTROUTING -m layer7 --l7proto >> http -j ACCEPT >> iptables: No chain/target/match by that name >> >> The l7 stuff is selected in make menuconfig and iptables seems to have >> the support for it, but I got the idea that there are some kernel >> modules missing or something. >> I expected some layer7 kernel modules but there is none in /lib/modules. >> > > Thank you for the report. I'm afraid l7 is broken in 1.3.4 because I've got the > same result. I've started custom build to check it and hopefully it will be > fixed and ready for download by Tuesday. > It should be relativly easy to fix by putting a tar file with the correct patches in it. It just fails to patch the kernel because the patch set that is in the tarball is for an older kernel. Jan Hugo |
From: Serge L. <fi...@in...> - 2007-07-31 10:15:03
|
Hi, Jan Hugo Prins wrote: > It should be relativly easy to fix by putting a tar file with the > correct patches in it. > It just fails to patch the kernel because the patch set that is in the > tarball is for an older kernel. > Surely. It's a quite trivial 3-lines patch. But now I'm building the system to be sure nothing was broken ("make config" freeze for kernel, for example). This process takes a lot of time due to my build box performance. Actually I don't expect any problem, but the preliminary test should be done anyway. I can send you the diff if you are ready to check it by yourself. -- Serge Leschinsky |
From: Jan H. P. <jh...@jh...> - 2007-07-31 10:33:49
|
Serge Leschinsky wrote: Hi, > Surely. It's a quite trivial 3-lines patch. But now I'm building the system to > be sure nothing was broken ("make config" freeze for kernel, for example). This > process takes a lot of time due to my build box performance. > Actually I don't expect any problem, but the preliminary test should be done anyway. > > I can send you the diff if you are ready to check it by yourself. > > You can sureley sent me the patch and the needed tarball, then I will test it for you. No problem. That make config freezes is because it sees some extra options and wants some input on that. Instead of make oldconfig you could also just add the needed extra lines to the .config file. That should do the trick. Jan Hugo |
From: Jan H. P. <jh...@jh...> - 2007-08-14 09:12:32
|
Serge Leschinsky wrote: > Surely. It's a quite trivial 3-lines patch. But now I'm building the system to > be sure nothing was broken ("make config" freeze for kernel, for example). This > process takes a lot of time due to my build box performance. > Actually I don't expect any problem, but the preliminary test should be done anyway. > > I can send you the diff if you are ready to check it by yourself. > > Yesterday I thought, lets see if layer7 support is fixed in the latest 1.3.4. But the patch-o-matic scripts contains some strange lines with <<<<<<<<< and >>>>>>>>>> It fails completly. [root@zeus build]# less tmp/LOGS/build/patch-o-matic /build/scripts/patch-o-matic: line 38: syntax error near unexpected token `<<<' /build/scripts/patch-o-matic: line 38: `<<<<<<< patch-o-matic' Greetings, Jan Hugo Prins |
From: Serge L. <fi...@in...> - 2007-08-14 09:38:56
|
Hi, Jan Hugo Prins wrote: > Yesterday I thought, lets see if layer7 support is fixed in the latest > 1.3.4. > But the patch-o-matic scripts contains some strange lines with <<<<<<<<< > and >>>>>>>>>> > It fails completly. > It's the result of unsuccessful cvs merging (probably you edit this file). Please delete the file and sync once again. -- Serge Leschinsky |
From: Heiko Z. <he...@zu...> - 2007-07-28 13:55:14
|
On Sat, July 28, 2007 05:34, Jan Hugo Prins wrote: > Mgr. Motycka Jiri wrote: > >> Hi. >> >> >> Try to download testing version 1.2.14. Some time before I already >> announce this problem and Heiko solved it by making a new version where >> these libraries was presented. You can downloaded it from here: >> ftp://ftp.devil-linux.org/pub/devel/testing/ >> >> >> (libipt_ipp2p.so and libipt_layer7.so are in directory >> /usr/lib/iptables) >> >> >> BTW: Has anybody any experiences with layer7 in DL? >> I made one simple firewall rule which should block rtsp protocol and >> this rule blocks nothing and content of the packets sends to the syslog >> ? >> Does anybody know why ? >> >> >> This is the rule: >> $IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto rtsp -j DROP >> >> >> Jiri Motycka >> >> >> >> > Yesterday evening I tried some rules on my firewall (DL 1.3.4) but I > constantly get the following error: > > root@Devil:~ # iptables -t mangle -A POSTROUTING -m layer7 --l7proto > http -j ACCEPT iptables: No chain/target/match by that name > > > The l7 stuff is selected in make menuconfig and iptables seems to have > the support for it, but I got the idea that there are some kernel modules > missing or something. I expected some layer7 kernel modules but there is > none in /lib/modules. Make sure you load all the needed modules via modprobe. > This is as far as I have come with this. > > > By the way, is it possible / easy to make a custom kernel config? What > are the steps that I should take to make this happen? I suppose that I > should take a kernel tree and do a make menuconfig and put the resulting > config file in some special place or something? What patches are by > default patched into the kernel tree before starting the build? There's no built in way to change the config, you'll have to hack something. Are the changes something other people would need too? If yes, then we can change it in CVS. -- Regards Heiko Zuerker http://www.devil-linux.org |
From: Fred F. <ffr...@lo...> - 2007-07-28 14:02:55
|
Filtering out Kazaa and friends while still allowing a permisive inside to outside firewall is something I like. On the other hand I should probably be running a proxy and blocking everything from the inside except what is allowed.=20 Fred Frigerio Locust USA =20 This electronic message transmission contains information from Locust USA which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify us by telephone (305-889-5410) or by reply via electronic mail immediately. -----Original Message----- From: dev...@li... [mailto:dev...@li...] On Behalf Of Heiko Zuerker Sent: Saturday, July 28, 2007 9:55 AM To: dev...@li... Subject: Re: [Devil-Linux-discuss] P2p traffic filtering On Sat, July 28, 2007 05:34, Jan Hugo Prins wrote: > Mgr. Motycka Jiri wrote: > >> Hi. >> >> >> Try to download testing version 1.2.14. Some time before I already=20 >> announce this problem and Heiko solved it by making a new version=20 >> where these libraries was presented. You can downloaded it from here: >> ftp://ftp.devil-linux.org/pub/devel/testing/ >> >> >> (libipt_ipp2p.so and libipt_layer7.so are in directory >> /usr/lib/iptables) >> >> >> BTW: Has anybody any experiences with layer7 in DL? >> I made one simple firewall rule which should block rtsp protocol and=20 >> this rule blocks nothing and content of the packets sends to the=20 >> syslog ? >> Does anybody know why ? >> >> >> This is the rule: >> $IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto rtsp -j DROP >> >> >> Jiri Motycka >> >> >> >> > Yesterday evening I tried some rules on my firewall (DL 1.3.4) but I=20 > constantly get the following error: > > root@Devil:~ # iptables -t mangle -A POSTROUTING -m layer7 --l7proto=20 > http -j ACCEPT iptables: No chain/target/match by that name > > > The l7 stuff is selected in make menuconfig and iptables seems to have > the support for it, but I got the idea that there are some kernel=20 > modules missing or something. I expected some layer7 kernel modules=20 > but there is none in /lib/modules. Make sure you load all the needed modules via modprobe. > This is as far as I have come with this. > > > By the way, is it possible / easy to make a custom kernel config? What > are the steps that I should take to make this happen? I suppose that I > should take a kernel tree and do a make menuconfig and put the=20 > resulting config file in some special place or something? What patches > are by default patched into the kernel tree before starting the build? There's no built in way to change the config, you'll have to hack something. Are the changes something other people would need too? If yes, then we can change it in CVS. --=20 Regards Heiko Zuerker http://www.devil-linux.org ------------------------------------------------------------------------ - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Devil-linux-discuss mailing list Dev...@li... https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss |
From: Jan H. P. <jh...@jh...> - 2007-07-28 22:01:56
|
Heiko Zuerker wrote: > Make sure you load all the needed modules via modprobe. > > I could do that if the modules were actually there. But the problem was that the netfilter Layer7 patches that are in the 1.3.4 build don't match the kernel version that is in this build. I am currently trying what happens if I take the latest version of the kernel (2.6.22.1) with the latest Layer7 patch set that matches this kernel. > There's no built in way to change the config, you'll have to hack something. > Are the changes something other people would need too? If yes, then we can > change it in CVS. > > What I'm thinking about is creating a static kernel specific for my system without module support. I don't think a lot of people will have exactly the same system. But is the config that the kernel is build with somewhere in the build tree, or is this config generated at build time? Jan Hugo |
From: Heiko Z. <he...@zu...> - 2007-07-30 12:43:39
|
On Sat, July 28, 2007 17:01, Jan Hugo Prins wrote: > Heiko Zuerker wrote: > >> Make sure you load all the needed modules via modprobe. >> >> >> > I could do that if the modules were actually there. But the problem was > that the netfilter Layer7 patches that are in the 1.3.4 build don't match > the kernel version that is in this build. I am currently trying what > happens if I take the latest version of the kernel (2.6.22.1) with the > latest Layer7 patch set that matches this kernel. > >> There's no built in way to change the config, you'll have to hack >> something. Are the changes something other people would need too? If >> yes, then we can change it in CVS. >> >> > What I'm thinking about is creating a static kernel specific for my > system without module support. I don't think a lot of people will have > exactly the same system. > > But is the config that the kernel is build with somewhere in the build > tree, or is this config generated at build time? The kernel config is pieced together at build time from a couple files in build/scripts/config/2.6 You'll have to modify these files. -- Regards Heiko Zuerker http://www.devil-linux.org |
From: Serge L. <fi...@in...> - 2007-07-30 10:54:59
|
Hi, Mgr. Motycka Jiri wrote: > BTW: Has anybody any experiences with layer7 in DL? Yes. I used it some time ago - with ver. 1.2.9 > I made one simple firewall rule which should block rtsp protocol and > this rule blocks nothing and content of the packets sends to the syslog ? > Does anybody know why ? > > This is the rule: > $IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto rtsp -j DROP One thing was unexpected for me - it's ip_conntrack module. It should be loaded. So, you can check the l7-filter functionality by executing the command iptables -A OUTPUT -m layer7 --l7proto http and checking the counters (iptables -nvL) after downloading. As I said before, don't omit ip_conntrack module loading please. -- Serge Leschinsky |