Hi all, I have a little experience with windows based firewall .. Kerio Winroute. In that i was able to block applications using packet header contents instead of port they use since modern p2p apps change ports if they find one blocked. Is that possible in shorewall that i can: 1. Block all downloading attempts using file extensions. for example i can block all *.mp3 files from downloading. 2. Can i check packet header to check if it belongs to kaaza / msn messenger then block it ? Thanks in advance, Asim.-- Sr. System Engineer Folio3 Pvt. Ltd URL : http://www.clickmarks.com email : asimak77@gmail.com MSN : asimak77@hotmail.com
Hi Asim> 1. Block all downloading attempts using file extensions. for example i can > block all *.mp3 files from downloading. > 2. Can i check packet header to check if it belongs to kaaza / msn messenger > then block it ?You can use IPP2P to block file sharing (see http://www.shorewall.net/IPP2P.html and http://www.ipp2p.org). Other than that I don''t think you can do what you suggest using Shorewall. Maybe you could use the layer-7 classifier (http://l7-filter.sourceforge.net/), but I think you will have to configure it outside of Shorewall. Another possibility might be a proxy server? (http://www.shorewall.net/Shorewall_Squid_Usage.html). Rune ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Asim Ahmed Khan escribió:> Hi all, > > I have a little experience with windows based firewall .. Kerio Winroute. In > that i was able to block applications using packet header contents instead > of port they use since modern p2p apps change ports if they find one > blocked. Is that possible in shorewall that i can: > > 1. Block all downloading attempts using file extensions. for example i can > block all *.mp3 files from downloading. > 2. Can i check packet header to check if it belongs to kaaza / msn messenger > then block it ? >I don''t think so. what you need is squid with dansguardian AND shorewall. read "What it cannot do" http://www.shorewall.net/Shorewall_Doesnt.html
Cristian Rodriguez wrote:>Asim Ahmed Khan escribió: > > >>Hi all, >> >>I have a little experience with windows based firewall .. Kerio Winroute. In >>that i was able to block applications using packet header contents instead >>of port they use since modern p2p apps change ports if they find one >>blocked. Is that possible in shorewall that i can: >> >>1. Block all downloading attempts using file extensions. for example i can >>block all *.mp3 files from downloading. >>2. Can i check packet header to check if it belongs to kaaza / msn messenger >>then block it ? >> >> >> > >I don''t think so. >what you need is squid with dansguardian AND shorewall. > >read "What it cannot do" http://www.shorewall.net/Shorewall_Doesnt.html > > >I fully agree with Cristian. Often shorewall is placed on gateways on which no such applications run anyways. However, this is a project going on that might can do what you want. I have both good and bed experiances with ipp2p (http://www.ipp2p.org/) and that it blocks a lot (in my case reduce traffic) but some get''s trough anyways at full speed. These p2p packages are damn smart..... cheers, Ries -- Ries van Twisk Freelance Typo3 Developer email: ries@vantwisk.nl web: http://www.rvantwisk.nl/ skype: callto://r.vantwisk ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
R. van Twisk escribió:>> > I fully agree with Cristian. > Often shorewall is placed on gateways on which no such applications run > anyways.the OP should considere running one ;-)> These p2p packages are damn smart..... >That''s the point,and will become even more and more smarter every new release.. start thinking about applying non tech solutions for the issue ( i.e "acceptable use" policies for your network , LART ;-) )
I''ve found out that the rule loc net ACCEPT is a very general rule that only saves time and working effort to the sysadm but it increases the possibility of anwanted traffic going in and out from your gw-router-fw. Since I had the experience of working with stubborn "smart" users that refused to obey a policy I''ve changed my habbits a bit. The new rule is loc net REJECT and then open some ports in rules file, slowly - slowly , after making sure that this is needed and included in the company''s policy. On the other hand netfilter is not the only tool to protect your net from internal-external abuse. There is a plethora of open source tools such as squid, dansguardian, chastitty, snort ... and so on that will help you eliminate bad traffic and control the beast. The difficulty is to select the appropriate combination of the tools you need, make the correct configuration and repeat the test-debug-test-debug redisign chain. Regards. Harry.>R. van Twisk escribiΓ³: > > > >>I fully agree with Cristian. >>Often shorewall is placed on gateways on which no such applications run >>anyways. >> >> > >the OP should considere running one ;-) > > > >>These p2p packages are damn smart..... >> >> >> > >That''s the point,and will become even more and more smarter every new >release.. start thinking about applying non tech solutions for the issue >( i.e "acceptable use" policies for your network , LART ;-) ) > > > > >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Harry Lachanas escribió:> The new rule is > loc net REJECT > and then open some ports in rules file, slowly - slowly , after making > sure that this is needed and included in the company''s policy.yeah, I use that **always**, but it cause some screams from users and phone calls from the "Pointy-Haired" Boss ;-)> The difficulty is to select the appropriate combination of the tools you > need, make the correct configuration and repeat the > test-debug-test-debug redisign chain. >Indeed, and can be **very** tricky to debug and the specially hard part.is to make it fit in your enviroment correctly,when you have a lot of users,and different client apps.
squid and dansguardian works well for me. We were running a 1k-users network but there were still some good and bad experiences... you may give it a try On 4/8/06, Cristian Rodriguez <judas_iscariote@shorewall.net> wrote:> Harry Lachanas escribió: > > The new rule is > > loc net REJECT > > and then open some ports in rules file, slowly - slowly , after making > > sure that this is needed and included in the company''s policy. > > yeah, I use that **always**, but it cause some screams from users and > phone calls from the "Pointy-Haired" Boss ;-) > > > > The difficulty is to select the appropriate combination of the tools you > > need, make the correct configuration and repeat the > > test-debug-test-debug redisign chain. > > > > Indeed, and can be **very** tricky to debug and the specially hard > part.is to make it fit in your enviroment correctly,when you have a lot > of users,and different client apps. > > > > > > > > > > >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642