RE: String Match (Cesar)
IMHO this is the main disadvantage of FreeBSD and IPFW. Sure Linux has a better support on string match for IPS. -- Message: 1 Date: Wed, 9 Nov 2005 11:52:35 -0300 From: Cesar [EMAIL PROTECTED] Subject: String Match To: freebsd-ipfw@freebsd.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original An interesting thing in iptables is that option to match strings, like this example: iptables -A FORWARD -p TCP -m string --string BitTorrent protocol -j REJECT --reject-with tcp-reset iptables -A FORWARD -p TCP -m string --string GET /announce -j REJECT --reject-with tcp-reset Did anyone wrote a similar patch to ipfw? or ... Is this something desirable to ipfw which the developers will put in the future? Thanks -- -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.12.8/163 - Release Date: 8/11/2005 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: String Match
Sorry for my bad explanation ... I want to do with ipfw what the IPP2P (http://www.ipp2p.org) do, it use a modification in linux kernel/iptables some kind of string match to identify P2P traffic. Nowadays I use port based rules to limit P2P traffic, which is not a good solution since most of P2P programs are using random ports. - Original Message - From: Oliver Fromme [EMAIL PROTECTED] To: freebsd-ipfw@FreeBSD.ORG Sent: Thursday, November 10, 2005 10:57 AM Subject: Re: String Match I can't think of any real-world examples where string- matching would be useful and work reliably. The above examples do not work reliably, because the rules would also have rejected your email to this mailing list. ;-) If you want to filter on application level (e.g. certain HTTP GET commands like the one above), you should do it in the application (e.g. apache). That's not the job of a packet filter. Best regards Oliver -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. Unix gives you just enough rope to hang yourself -- and then a couple of more feet, just to be sure. -- Eric Allman ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: String Match
Its not a bad ideia since I see a lot of people searching for P2P traffic control/shaper. I'm operating an ISP with 3000 broadband users ... And yes. I can call they untrusted, but this is not the point. With ipfw I can do per IP traffic shaping, but what about if I can limit a IP in 256kbps and say that this IP will be able to use only 128Kbps for P2P traffic. As I said, I do this nowadays creating rules based on P2P ports, as well as m0n0wall do. However it is not efficient as iptables is. I tried a linux based system ( Mikrotik ) to limit P2P and it matched almost 100% of P2P traffic ... And as I know, ipfw can't do this. And maybe this kind of string match can become useful to other things. Cesar - Original Message - From: Oliver Fromme [EMAIL PROTECTED] To: freebsd-ipfw@FreeBSD.ORG Sent: Thursday, November 10, 2005 12:55 PM Subject: Re: String Match Cesar [EMAIL PROTECTED] wrote: Sorry for my bad explanation ... I want to do with ipfw what the IPP2P (http://www.ipp2p.org) do, it use a modification in linux kernel/iptables some kind of string match to identify P2P traffic. Which is basically a bad idea, as I have explained in my previous mail. Nowadays I use port based rules to limit P2P traffic, which is not a good solution since most of P2P programs are using random ports. May I ask why do you need to do that? Are you operating an internet router for untrusted users? Best regards Oliver -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. I invented Ctrl-Alt-Delete, but Bill Gates made it famous. -- David Bradley, original IBM PC design team ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: String Match
On Wednesday 09 November 2005 15:52, Cesar wrote: An interesting thing in iptables is that option to match strings, like this example: iptables -A FORWARD -p TCP -m string --string BitTorrent protocol -j REJECT --reject-with tcp-reset iptables -A FORWARD -p TCP -m string --string GET /announce -j REJECT --reject-with tcp-reset Did anyone wrote a similar patch to ipfw? or ... Is this something desirable to ipfw which the developers will put in the future? As Oliver pointed out, this is not a good idea. If you still want to do it, why don't you hook a filter into a divert socket? It's certainly *not* a good idea to bloat IPFW (or any other general purpose packet filter) with a generally useless feature like this - if you think you need something special you can either do it in the userland (via divert or bpf) or you could just do an idependent pfil(9) consumer module, finally there is netgraph. -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News pgpyfP4eRexv7.pgp Description: PGP signature
Re: String Match
On Thursday 10 November 2005 11:23, Max Laier wrote: On Wednesday 09 November 2005 15:52, Cesar wrote: An interesting thing in iptables is that option to match strings, like this example: iptables -A FORWARD -p TCP -m string --string BitTorrent protocol -j REJECT --reject-with tcp-reset iptables -A FORWARD -p TCP -m string --string GET /announce -j REJECT --reject-with tcp-reset Did anyone wrote a similar patch to ipfw? or ... Is this something desirable to ipfw which the developers will put in the future? As Oliver pointed out, this is not a good idea. If you still want to do it, why don't you hook a filter into a divert socket? It's certainly *not* a good idea to bloat IPFW (or any other general purpose packet filter) with a generally useless feature like this - if you think you need something special you can either do it in the userland (via divert or bpf) or you could just do an idependent pfil(9) consumer module, finally there is netgraph. snort_inline (ports/security/snort_inline) may also be useful for what you want. -- Darcy Buskermolen Wavefire Technologies Corp. http://www.wavefire.com ph: 250.717.0200 fx: 250.763.1759 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]