re I would like to do some firewalling and p2p shaping/limiting on one of the vlans in my network and I was thinking of using linux box as transparent bridged firewall/limiter. For this I''m planning to use AMD64 2.2Ghz box with 2 1gbit NIC (Broadcom 5721), that will be bridged. The box must be totally transparent and unseen in the network, as well as it should have much influence on network performance. Can anyone give me some guidelines where to begin, how to limit/shape p2p traffic on that vlan. Is it even doable?? Any example htb/etables/iptables configuration script will also help. :) thanks in advance .. regards, Andraz -- BOFH excuse #362: Plasma conduit breach _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
On 3/23/06, Andraz Sraka <a@aufbix.org> wrote:> > re > > I would like to do some firewalling and p2p shaping/limiting on one of > the vlans in my network and I was thinking of using linux box as > transparent bridged firewall/limiter. For this I''m planning to use AMD64 > 2.2Ghz box with 2 1gbit NIC (Broadcom 5721), that will be bridged. The > box must be totally transparent and unseen in the network, as well as it > should have much influence on network performance.I recommend (so I haven''t done it cos I have no needs up now) use FreeBSD to do that. Bridging in BSD has more sense than do it in a Linux box. Can anyone give me some guidelines where to begin, how to limit/shape> p2p traffic on that vlan. Is it even doable?? Any example > htb/etables/iptables configuration script will also help. :)It''s totally possible, you can use any script found via google or any of that are travelling in this mail list. -- Atentamente, Carlos. ------------------------------- LTIM Member - http://ltim.uib.es BkP Staff (Servidores, Gamer Area, Tesorean) - http://www.balearikus-party.org _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
re On Thu, 2006-03-23 at 11:15 +0000, Roberto Scattini wrote:> hi, you could try with this > > http://l7-filter.sourceforge.net/ > > they have a good howto and some sample scripts (for bridge and > non-bridge setup).well can l7-filter be used with etables? Because vlan is trunked (cisco term. = tagged), what in this scenario? regards, Andraz -- BOFH excuse #327: The POP server is out of Coke _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
re On Thu, 2006-03-23 at 16:58 +0100, Carlos Blanquer wrote:> I recommend (so I haven''t done it cos I have no needs up now) use > FreeBSD to do that. Bridging in BSD has more sense than do it in a > Linux box.that was my second best choice ;-]> It''s totally possible, you can use any script found via google or any > of that are travelling in this mail list.True in a way, but still I was hoping that someone can give me more specific guidelines what are the possibilities and what''s the "best" way to do it. Since I''ve already said, that I need to do p2p limiting and some basic firewalling on data stream in trunked (cisco term. = tagged) vlan. regards, Andraz -- BOFH excuse #327: The POP server is out of Coke _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
i dont know too much about cisco. i have used layer7 on a linux bridge using br-nf patch. maybe this url can help you, but my knowledge stops there... :( http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html Roberto Scattini On Thu, 2006-03-23 at 11:15 +0000, Roberto Scattini wrote: > hi, you could try with this > > http://l7-filter.sourceforge.net/ > > they have a good howto and some sample scripts (for bridge and > non-bridge setup). well can l7-filter be used with etables? Because vlan is trunked (cisco term. = tagged), what in this scenario? regards, Andraz _________________________________________________________________ Windows Live Messenger, la nueva generaciĆ³n de tu MSN. http://imagine-msn.com/minisites/messenger/default.aspx?locale=es-ar
Andraz Sraka wrote:> re > > On Thu, 2006-03-23 at 16:58 +0100, Carlos Blanquer wrote: > > >> I recommend (so I haven''t done it cos I have no needs up now) use >> FreeBSD to do that. Bridging in BSD has more sense than do it in a >> Linux box. >> > > that was my second best choice ;-] > > > >> It''s totally possible, you can use any script found via google or any >> of that are travelling in this mail list. >> > > True in a way, but still I was hoping that someone can give me more > specific guidelines what are the possibilities and what''s the "best" way > to do it. Since I''ve already said, that I need to do p2p limiting and > some basic firewalling on data stream in trunked (cisco term. = tagged) > vlan. > > regards, > Andraz > > > > > vlans on linux as someone said already, is just a basic eth0.x > interface, which you just shape/firewall etc in the same way as a > normal interface. > > > > its not difficult to setup. > > ------------------------------------------------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >hey there. best way to do this is with ebtables + vlans + qos on a linux box. bsd shaping is basic at best, and junk at worst. altq cannot do proper shaping over multiple interfaces (couldnt have say 10mbit shared between 3 or 4 interfaces etc). certainly not in my experience. linux is far superior for what your wanting to do, can even do layer7 shaping. vlans on linux as someone said already, is just a basic eth0.x interface, which you just shape/firewall etc in the same way as a normal interface. its not difficult to setup. if you require any more info or help, feel free to pm me off list. i have this exact setup.
Andraz Sraka wrote:> re > > On Thu, 2006-03-23 at 11:15 +0000, Roberto Scattini wrote: > >> hi, you could try with this >> >> http://l7-filter.sourceforge.net/ >> >> they have a good howto and some sample scripts (for bridge and >> non-bridge setup). >> > > well can l7-filter be used with etables? Because vlan is trunked (cisco > term. = tagged), what in this scenario? > > regards, > Andraz > > > ------------------------------------------------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >i believe it can.
On Thu, 2006-03-23 at 16:18 +0000, Roberto Scattini wrote:> maybe this url can help you, but my knowledge stops there... :( > http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html<http://l7-filter.sourceforge.net/L7-Netfilter-example> sounds promising .. regards, Andraz -- BOFH excuse #450: Terrorists crashed an airplane into the server room, have to remove /bin/laden. (rm -rf /bin/laden) _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
On Thursday 23 March 2006 11:39, Andraz Sraka wrote:> On Thu, 2006-03-23 at 16:18 +0000, Roberto Scattini wrote: > > maybe this url can help you, but my knowledge stops there... :( > > http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html > > <http://l7-filter.sourceforge.net/L7-Netfilter-example> sounds > promising ..I like L7, but be sure you''re ready to write some pattern matches. I''ve been using ipp2p[1] and it matches all my p2p traffic. ymmv of course. [1] http://www.ipp2p.org/ -- Jason Boxman http://edseek.com/ - Linux and FOSS stuff
re On Thu, 2006-03-23 at 19:20 -0500, Jason Boxman wrote:> I like L7, but be sure you''re ready to write some pattern matches. I''ve been > using ipp2p[1] and it matches all my p2p traffic. ymmv of course. > > [1] http://www.ipp2p.org/can newer 2.6 (2.6.15.x) kernels be patched with ipp2p ? As far as I''ve compared the two them, the only difference (that I''ve noticed) is that L7 uses patterns from userspace (written somewhere on file system); regards, Andraz _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Hi, Andraz Sraka wrote:> re > > On Thu, 2006-03-23 at 19:20 -0500, Jason Boxman wrote: > > >>I like L7, but be sure you''re ready to write some pattern matches. I''ve been >>using ipp2p[1] and it matches all my p2p traffic. ymmv of course. >> >>[1] http://www.ipp2p.org/ > > > can newer 2.6 (2.6.15.x) kernels be patched with ipp2p ? As far as I''ve > compared the two them, the only difference (that I''ve noticed) is that > L7 uses patterns from userspace (written somewhere on file system);Yes and no, l7filter uses regular expressions as pattern matches, which is slower and in some situations inaccurate. For exapmle you cannot compare one or two bytes with the packet length. example: http://l7-filter.sourceforge.net/layer7-protocols/protocols/edonkey.pat <snip> # God this is a mess. What an irritating protocol. # This will match about 1% of streams with random data in them! </snip> This means 1 % packets will be matched by l7filter as edonkey. So almost all longer connections will get matched as edonkey, which might make this filter unusable. ipp2p is specialized to match p2p traffic by high optimized worst case stable layer 7 matches. It also tries to avoid missdetections as good as possible. I think if you would like to do a complete traffic shaping for http,ftp,.., try l7filter. But for p2p, I would recommend ipp2p ! regards, Klaus, maintainer of ipp2p> > regards, > Andraz > > > ------------------------------------------------------------------------ > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Andraz Sraka wrote:> re > > On Thu, 2006-03-23 at 19:20 -0500, Jason Boxman wrote: > >> I like L7, but be sure you''re ready to write some pattern matches. I''ve >> been >> using ipp2p[1] and it matches all my p2p traffic. ymmv of course. >> >> [1] http://www.ipp2p.org/ > > can newer 2.6 (2.6.15.x) kernels be patched with ipp2p ? As far as I''ve > compared the two them, the only difference (that I''ve noticed) is that > L7 uses patterns from userspace (written somewhere on file system);Sure. jasonb@rebecca:~$ uname -a Linux rebecca 2.6.15.5-20060312 #1 Sun Mar 12 21:39:12 EST 2006 i686 GNU/Linu I''m running the latest ipp2p beta on that without incident. The major difference I''ve found is that you can (and must) write your own patterns for L7. The stock patterns, at least for edonkey p2p, doesn''t work. ipp2p works out-of-the-box with what it supports, but you have to hack C to make any changes. I can''t code C anyway, so I won''t be making any changes. Nor do I have time to perform package analysis on edonkey/Overnet/Kademila so L7 can match those packets for me as ipp2p does by default. So, ymmv as I said. Also, ipp2p must be used in conjunction with CONNMARK whereas you can simply -j CLASSIFY L7 and you''re done. You probably want a CONNMARK paired up with ipp2p as it generally matches handshake packets only. The mark handles the rest.