Hi all. There is an interesting project that was called opendpi (originally by ipoque GmbH) and recently been forked and maintained by the ntop guys under the nDPI label. It offers a new and currently maintained layer 7 (L7) packet identification library. It could definitely benefit from more eyes and development effort, but at present it gives much better breakdown of traffic for ntop
There is a netfilter library, originally by Elian Gidoni, that I have updated to use the nDPI fork https://github.com/ewildgoose/ndpi-netfilter The practical upshot is that you can do stuff like: iptables -I FORWARD -m ndpi --WinUpdate -j LOG or iptables -I FORWARD -m ndpi --skype -j REJECT In theory you can also filter Facebook, Twitter, etc, as specific named protocols - this ability is likely to be improved in the next iterations (ie be more configurable) Another of the clever things that nDPI does is to try and classify SSL traffic by examining the name on the cert. A technique that seems likely to allow crude identification of significant traffic. (If the cert says "mail.google.com", have a guess what we are doing?) The big picture here is that a lot of protocols are starting to look like "http", and increasingly more are just "https". Any filters are going to be reasonably easy for an active attacker to defeat (tunnel it some way), but I have a requirement to save users from themselves and so we want to be able to do things like limiting Windows Update and disallow it over the expensive satellite connection, and only allow over the cheaper wifi (or 3G) connections. Simple filtering on http & https is quite useful in implementing that despite the limitations. Forcing connections through squid has some limitations (and some advantages), but at present squid can't do some of the things we can do with nDPI such as examining SSL certs. There is still some way to go on this project, but I started pondering how I might express such rules in shorewall (and trying to avoid further overloading MARKs). Kind regards Ed W ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
