similar to: Snort and Shorewall

Hello there! I am trying to get traffic shaping working on my Linux router (debian woody 3r02) and for some things I wanted to use the layer 7 packet classifier, but I can''t get it to work. Here is what I did: -downloaded the patches from http://l7-filter.sourceforge.net -downloaded the kernel 2.6.7 source -downloaded the iptables 1.2.11 source -patched kernel (layer7 patch and some

Hello, I''ve been trying to shape the bittorrent traffic (on my external interface, upload), but without luck, for this I''m using layer7 filter right now, but I''ve also tried ipp2p, with the same results, I might say that this is not a problem with this packet classifiers, the problem is with HTB, here''s why. When I open azureus (the bittorrent client I

i search a lot forum how to get bandwidth statistic such number of packet, total byte in each application protocol by using IPTABLES + netfilter-layer7 but i don''t know which script for getting it in log file and use data after get it for plotting graph later my IPTABLES command like this iptables -t mangle -N all iptables -t mangle -A POSTROUTING -j all iptables -t mangle -A

Hi there, I have a little problem. I had this some months ago but didn''t solve it back then. I have patched my kernel with Layer 7 support and patched my iptables to support it, too. Now I inserted this line in my firewall script on my router for testing purpose: $IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -p tcp -m layer7 --l7proto http -j DROP It works, BUT only if the

Hi All , My first message and I have a little problem with my FC6 box trying to block emule traffic using layer7 . Here my network : Internet --------- ADSL Router ------------------- FC6 Box -------------------- Emule Box external ADSL : Dynamic Internal ADSL : 192.168.254.1 external FC6 : 192.168.254.3 internal FC6 : 192.168.253.1 Emule Box : 192.168.253.3 I guess that everything

Hi all, I am running Slackware 10.1 with Kernel 2.6.14.3 includes iptables 1.3.4 with layer 7 My network diagram below: - INTERNET --- LINUX_ROUTER_FW --- PCs Below is my simple iptables script: - echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t mangle -A POSTROUTING -m layer7 --l7proto applejuice -j MARK --set-mark 1 iptables -t

Hi, I have simple question about Skype. What are the methods of selecting packets which belongs to Skype?? I know about 7layer but I don''t belive that is only way. Is 7layer realy good and stable solution for routers which must handle more than 1000 users ? Thanks in advance Pozdrawiam Szymon Turkiewicz

HI All , I am running a FC6 box with two internet links with load balance . Every thing is working fine expect the MSN connection that failed and reconnect every time and SSL connections . I would link to know if with the nona howto I could fix that . I have been tried with no success to redirect that connection only to one link but its look like do not work . Here my configuration :

I was wondering if anyone had implemented rules like this in shorewall: http://blog.andrew.net.au/tech I see tons of brute force attempts on the machines I administer, and I like the idea of limiting them without the need for extra daemons scanning for attacks. Thanks, Dale -- Dale E. Martin - dale@the-martins.org http://the-martins.org/~dmartin

Hello I''ve setuped a QOS bridge under debian 3.1 using 2.6.18.3 kernel + iptables 1.3.6 I''ve patched the kernel an Iptables with esfq+layer7 without problems. This simple script doesn''t log nothing ... And I''m sure to have eMule traffic (I''ve checked with tcpdump ) If I remove " -m layer7 --l7proto edonkey \" line I can see

hi all, i have a classic net topology with two local zone, a firewall/router with dsl connection loc1 (192.168.11.0/24) ----- fw ----- net loc2 (192.168.12.0/24) now on the local zone 1 (on a WinXP machine) i have installed OpenVPN 2.x to make a test connection with a company. OpenVPN is configured as client to use tun on udp port 10000 with ip 10.0.0.2, on the other

Hello, First , thanks to Tom for it''s great job ! Netfilter is really easy and powerfull with shorewall. So, I have configured two firewalls whith shorewall using keepalived for the redundant VRRP stuff. FW-a is MASTER and FW-b is BACKUP. Everything works correctly and FW-b upgrade to MASTER when FW-a is down or disconnected. FW-b downgrade to BACKUP when FW-a comes back. But when I

Hello every one! I''m making a project to a discipline in the university and the project is make a Linux router that grants QoS to Multimedia connections (the prof. say we can use Open Source Soft. :) or reinvent the wheel). I have been googeling and googeling and i found the l7-filter in source forge and the spectacular simple language that is TCNG. Well the problem is how can i

Hi folks, A while back we had some discussions about integrating heartbeat and shorewall. Thanks to your help and the excellent state of Linux failover clustering, i''ve managed to install my high-availability firewall. I know there''s already a howto for it at http://www.xenos.net/library/hafirewall.html, but i thought i would document my setup for others, since it''s

Hi, Thanks for the reply. Mohan Sundaram wrote : > mark in iptables and use tc to classify using mark. Mark like this ? iptables -A INPUT -m layer7 --l7proto bittorrent -j MARK --set-mark 3 and then.. tc filter add dev eth0 protocol ip parent 1:0 1 handle 3 fw flowid 1:10 and lets say we have a flowid 1:3 declared to use at 60kbit ceil 60kbit Is that proper ? If so then it

Hi iam running FEDORA, i have installed Source of iptable 1.2.9 with the patch layer7-iptables patch done with out any errors and i applied patch in kernel to the layer 7 patch and i have select the required option by doing make menyconfig done make dep make bzImage make modules make modules_install make install and rebooted with customer kernel when i type iptables -t mangle -A

hi everybody. im trying to set up an QoS config, using layer7 (http://l7-filter.sourceforge.net/) for protocol detection. im suposing 3 clients with this configuration: 3 clients: 1.2.3.1 , 1.2.3.2 , 1.2.3.3 1.2.3.1 has 256kbit bandwidth "guaranteed" clients 1.2.3.2 and 1.2.3.3 has 256kbit bandwith so im marking every packet using layer7 iptables module, classifying them in three

Hello, its me again, I won''t stop sending emails to this list, until I solve this problem, I''ve tried several apps to create the right htb rules (even made them my self), but I always get the same results, traffic gets shaped, but I can''t use my bandwidth, and this is weird, because I should be able to, also I keep seeing download being limited too, and that

Hi all! I''m trying to shape traffic in a dorm''s network (4 mbit symmetrical internet link, about 200 computers, heavy p2p usage). The router is a p4xeon running linux 2.6.9 with the qnet patches (http://kem.p.lodz.pl/~peter/qnet/). When I activate ip_forward I get >20% packet loss and a lot of duplicates. Any ideas? I attach my shaping script. Thank you very much in advance,

Hi, I''m trying to enable ssh (when that works, want to add:pop3s,smtp,web) from the internet to the firewall but it does not work. I managed to DNAT ftp to a host in the loc network (192.168.0.50) successful but I don''t know why SSH: Does not work for me: ACCEPT net fw tcp 22 Works from the loc network: ACCEPT loc fw tcp 22 I have tried also with (no success): AllowSSH