Re: [Devil-Linux-discuss] P2p traffic filtering

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Thank you for your hint.

I tried this:
iptables -I FORWARD -m layer7 --l7proto http

ip_conntrack was loaded, part of lsmod:
ipt_layer7             10496   1  (autoclean)
iptable_nat            18014   1  (autoclean)
ipt_state                504  10  (autoclean)
ip_conntrack           21568   0  (autoclean) [ipt_layer7 iptable_nat 
ipt_state]
iptable_filter          1644   1  (autoclean)
ipt_LOG                 3512  18  (autoclean)
ipt_limit                920  18  (autoclean)
iptable_mangle          2072   1  (autoclean)
ip_tables              13088   9  [ipt_layer7 iptable_nat ipt_state 
iptable_filter ipt_LOG ipt_limit iptable_mangle]
....

And this layer7 rule started to catch packets:
    8070  6076607            0    --  *      *       
0.0.0.0/0            0.0.0.0/0           LAYER7 l7proto http

but my syslog started to fill up with some strange errors and packet 
lists like this:

Jul 30 14:19:27 aaa@Devil kernel: layer7: regexec positive: http!
Jul 30 14:19:27 aaa@Devil kernel:
Jul 30 14:19:27 aaa@Devil kernel: l7-filter gave up after 625 bytes (11 
packets):
Jul 30 14:19:27 aaa@Devil kernel: ..@.. edebfaenebfccacacacacacacacacaad 
..  .......(oe`........(o..  ..l ...@.. edebfaenebfccacacacacacacacacaad 
..  .......(o..@.. edebfaenebfccacacacacacacacacaad ..  
.......(oe`g.......(o..  ..l ...@.. edebfaenebfccacacacacacacacacaad ..  
.......(o..@.. edebfaenebfccacacacacacacacacaad ..  
.......(oe`q.......(o..  ..l ...@.. edebfaenebfccacacacacacacacacaad ..  
.......(o..@.. faeddbdbdadadhdidhddcacacacacaad ..  .......(oe`.... 
...(o..  ..l....@.. faeddbdbdadadhdidhddcacacacacaad ..  .......(o..@.. 
faeddbdbdadadhdidhddcacacacacaad ..  .......(oe`........(o..  ..l....@.. 
faeddbdbdadadhdidhddcacacacacaad ..  .......(o

Isn't here (in layer7 kernel module) swithed on some debuging?
What does the message "l7-filter gave up after XXX bytes (YY packets)" 
means?
Does anybody knows ?

Jiri Motycka

Serge Leschinsky napsal(a):
> Hi,
>
> Mgr. Motycka Jiri wrote:
>
>   
>> BTW: Has anybody any experiences with layer7 in DL?
>>     
> Yes. I used it some time ago  - with ver. 1.2.9
>
>   
>> I made one simple firewall rule which should block rtsp protocol and 
>> this rule blocks nothing and content of the packets sends to the syslog ?
>> Does anybody know why ?
>>
>> This is the rule:
>> $IPTABLES -t mangle -A POSTROUTING -m layer7 --l7proto rtsp -j DROP
>>     
> One thing was unexpected for me - it's ip_conntrack module. It should be loaded.
>
> So, you can check the l7-filter functionality by executing the command
> iptables -A OUTPUT -m layer7 --l7proto http
> and checking the counters (iptables -nvL) after downloading. As I said before,
> don't omit ip_conntrack module loading please.
>
> --
>  Serge Leschinsky
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Devil-linux-discuss mailing list
> Dev...@li...
> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss
>
>   