* [LARTC] linux box as vlan p2p limiter and firewall?
@ 2006-03-23 10:43 Andraz Sraka
2006-03-23 15:58 ` Carlos Blanquer
` (10 more replies)
0 siblings, 11 replies; 12+ messages in thread
From: Andraz Sraka @ 2006-03-23 10:43 UTC (permalink / raw)
To: lartc
[-- Attachment #1.1.1: Type: text/plain, Size: 710 bytes --]
re
I would like to do some firewalling and p2p shaping/limiting on one of
the vlans in my network and I was thinking of using linux box as
transparent bridged firewall/limiter. For this I'm planning to use AMD64
2.2Ghz box with 2 1gbit NIC (Broadcom 5721), that will be bridged. The
box must be totally transparent and unseen in the network, as well as it
should have much influence on network performance.
Can anyone give me some guidelines where to begin, how to limit/shape
p2p traffic on that vlan. Is it even doable?? Any example
htb/etables/iptables configuration script will also help. :)
thanks in advance ..
regards,
Andraz
--
BOFH excuse #362:
Plasma conduit breach
[-- Attachment #1.1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 196 bytes --]
[-- Attachment #1.2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 1903 bytes --]
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [LARTC] linux box as vlan p2p limiter and firewall?
2006-03-23 10:43 [LARTC] linux box as vlan p2p limiter and firewall? Andraz Sraka
@ 2006-03-23 15:58 ` Carlos Blanquer
2006-03-23 16:10 ` Andraz Sraka
` (9 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Carlos Blanquer @ 2006-03-23 15:58 UTC (permalink / raw)
To: lartc
[-- Attachment #1.1: Type: text/plain, Size: 1141 bytes --]
On 3/23/06, Andraz Sraka <a@aufbix.org> wrote:
>
> re
>
> I would like to do some firewalling and p2p shaping/limiting on one of
> the vlans in my network and I was thinking of using linux box as
> transparent bridged firewall/limiter. For this I'm planning to use AMD64
> 2.2Ghz box with 2 1gbit NIC (Broadcom 5721), that will be bridged. The
> box must be totally transparent and unseen in the network, as well as it
> should have much influence on network performance.
I recommend (so I haven't done it cos I have no needs up now) use FreeBSD to
do that.
Bridging in BSD has more sense than do it in a Linux box.
Can anyone give me some guidelines where to begin, how to limit/shape
> p2p traffic on that vlan. Is it even doable?? Any example
> htb/etables/iptables configuration script will also help. :)
It's totally possible, you can use any script found via google or any of
that are travelling in this mail list.
--
Atentamente,
Carlos.
-------------------------------
LTIM Member - http://ltim.uib.es
BkP Staff (Servidores, Gamer Area, Tesorean) -
http://www.balearikus-party.org
[-- Attachment #1.2: Type: text/html, Size: 1745 bytes --]
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 12+ messages in thread
* RE: [LARTC] linux box as vlan p2p limiter and firewall?
2006-03-23 10:43 [LARTC] linux box as vlan p2p limiter and firewall? Andraz Sraka
2006-03-23 15:58 ` Carlos Blanquer
@ 2006-03-23 16:10 ` Andraz Sraka
2006-03-23 16:16 ` Andraz Sraka
` (8 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Andraz Sraka @ 2006-03-23 16:10 UTC (permalink / raw)
To: lartc
[-- Attachment #1.1.1: Type: text/plain, Size: 427 bytes --]
re
On Thu, 2006-03-23 at 11:15 +0000, Roberto Scattini wrote:
> hi, you could try with this
>
> http://l7-filter.sourceforge.net/
>
> they have a good howto and some sample scripts (for bridge and
> non-bridge setup).
well can l7-filter be used with etables? Because vlan is trunked (cisco
term. = tagged), what in this scenario?
regards,
Andraz
--
BOFH excuse #327:
The POP server is out of Coke
[-- Attachment #1.1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 196 bytes --]
[-- Attachment #1.2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2242 bytes --]
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [LARTC] linux box as vlan p2p limiter and firewall?
2006-03-23 10:43 [LARTC] linux box as vlan p2p limiter and firewall? Andraz Sraka
2006-03-23 15:58 ` Carlos Blanquer
2006-03-23 16:10 ` Andraz Sraka
@ 2006-03-23 16:16 ` Andraz Sraka
2006-03-23 16:18 ` Roberto Scattini
` (7 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Andraz Sraka @ 2006-03-23 16:16 UTC (permalink / raw)
To: lartc
[-- Attachment #1.1.1: Type: text/plain, Size: 760 bytes --]
re
On Thu, 2006-03-23 at 16:58 +0100, Carlos Blanquer wrote:
> I recommend (so I haven't done it cos I have no needs up now) use
> FreeBSD to do that. Bridging in BSD has more sense than do it in a
> Linux box.
that was my second best choice ;-]
> It's totally possible, you can use any script found via google or any
> of that are travelling in this mail list.
True in a way, but still I was hoping that someone can give me more
specific guidelines what are the possibilities and what's the "best" way
to do it. Since I've already said, that I need to do p2p limiting and
some basic firewalling on data stream in trunked (cisco term. = tagged)
vlan.
regards,
Andraz
--
BOFH excuse #327:
The POP server is out of Coke
[-- Attachment #1.1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 196 bytes --]
[-- Attachment #1.2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2242 bytes --]
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 12+ messages in thread
* RE: [LARTC] linux box as vlan p2p limiter and firewall?
2006-03-23 10:43 [LARTC] linux box as vlan p2p limiter and firewall? Andraz Sraka
` (2 preceding siblings ...)
2006-03-23 16:16 ` Andraz Sraka
@ 2006-03-23 16:18 ` Roberto Scattini
2006-03-23 16:28 ` Philip Gaw
` (6 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Roberto Scattini @ 2006-03-23 16:18 UTC (permalink / raw)
To: lartc
i dont know too much about cisco. i have used layer7 on a linux bridge using
br-nf patch.
maybe this url can help you, but my knowledge stops there... :(
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
Roberto Scattini
On Thu, 2006-03-23 at 11:15 +0000, Roberto Scattini wrote:
> hi, you could try with this
>
> http://l7-filter.sourceforge.net/
>
> they have a good howto and some sample scripts (for bridge and
> non-bridge setup).
well can l7-filter be used with etables? Because vlan is trunked (cisco
term. = tagged), what in this scenario?
regards,
Andraz
_________________________________________________________________
Windows Live Messenger, la nueva generación de tu MSN.
http://imagine-msn.com/minisites/messenger/default.aspx?locale=es-ar
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [LARTC] linux box as vlan p2p limiter and firewall?
2006-03-23 10:43 [LARTC] linux box as vlan p2p limiter and firewall? Andraz Sraka
` (3 preceding siblings ...)
2006-03-23 16:18 ` Roberto Scattini
@ 2006-03-23 16:28 ` Philip Gaw
2006-03-23 16:29 ` Philip Gaw
` (5 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Philip Gaw @ 2006-03-23 16:28 UTC (permalink / raw)
To: lartc
Andraz Sraka wrote:
> re
>
> On Thu, 2006-03-23 at 16:58 +0100, Carlos Blanquer wrote:
>
>
>> I recommend (so I haven't done it cos I have no needs up now) use
>> FreeBSD to do that. Bridging in BSD has more sense than do it in a
>> Linux box.
>>
>
> that was my second best choice ;-]
>
>
>
>> It's totally possible, you can use any script found via google or any
>> of that are travelling in this mail list.
>>
>
> True in a way, but still I was hoping that someone can give me more
> specific guidelines what are the possibilities and what's the "best" way
> to do it. Since I've already said, that I need to do p2p limiting and
> some basic firewalling on data stream in trunked (cisco term. = tagged)
> vlan.
>
> regards,
> Andraz
>
>
>
>
> vlans on linux as someone said already, is just a basic eth0.x
> interface, which you just shape/firewall etc in the same way as a
> normal interface.
>
>
>
> its not difficult to setup.
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
hey there. best way to do this is with ebtables + vlans + qos on a linux
box. bsd shaping is basic at best, and junk at worst. altq cannot do
proper shaping over multiple interfaces (couldnt have say 10mbit shared
between 3 or 4 interfaces etc). certainly not in my experience.
linux is far superior for what your wanting to do, can even do layer7
shaping.
vlans on linux as someone said already, is just a basic eth0.x
interface, which you just shape/firewall etc in the same way as a normal
interface.
its not difficult to setup. if you require any more info or help, feel
free to pm me off list. i have this exact setup.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [LARTC] linux box as vlan p2p limiter and firewall?
2006-03-23 10:43 [LARTC] linux box as vlan p2p limiter and firewall? Andraz Sraka
` (4 preceding siblings ...)
2006-03-23 16:28 ` Philip Gaw
@ 2006-03-23 16:29 ` Philip Gaw
2006-03-23 16:39 ` Andraz Sraka
` (4 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Philip Gaw @ 2006-03-23 16:29 UTC (permalink / raw)
To: lartc
Andraz Sraka wrote:
> re
>
> On Thu, 2006-03-23 at 11:15 +0000, Roberto Scattini wrote:
>
>> hi, you could try with this
>>
>> http://l7-filter.sourceforge.net/
>>
>> they have a good howto and some sample scripts (for bridge and
>> non-bridge setup).
>>
>
> well can l7-filter be used with etables? Because vlan is trunked (cisco
> term. = tagged), what in this scenario?
>
> regards,
> Andraz
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
i believe it can.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 12+ messages in thread
* RE: [LARTC] linux box as vlan p2p limiter and firewall?
2006-03-23 10:43 [LARTC] linux box as vlan p2p limiter and firewall? Andraz Sraka
` (5 preceding siblings ...)
2006-03-23 16:29 ` Philip Gaw
@ 2006-03-23 16:39 ` Andraz Sraka
2006-03-24 0:20 ` Jason Boxman
` (3 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Andraz Sraka @ 2006-03-23 16:39 UTC (permalink / raw)
To: lartc
[-- Attachment #1.1.1: Type: text/plain, Size: 416 bytes --]
On Thu, 2006-03-23 at 16:18 +0000, Roberto Scattini wrote:
> maybe this url can help you, but my knowledge stops there... :(
> http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
<http://l7-filter.sourceforge.net/L7-Netfilter-example> sounds
promising ..
regards,
Andraz
--
BOFH excuse #450:
Terrorists crashed an airplane into the server room, have to
remove /bin/laden. (rm -rf /bin/laden)
[-- Attachment #1.1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 196 bytes --]
[-- Attachment #1.2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 2242 bytes --]
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [LARTC] linux box as vlan p2p limiter and firewall?
2006-03-23 10:43 [LARTC] linux box as vlan p2p limiter and firewall? Andraz Sraka
` (6 preceding siblings ...)
2006-03-23 16:39 ` Andraz Sraka
@ 2006-03-24 0:20 ` Jason Boxman
2006-03-24 16:54 ` Andraz Sraka
` (2 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Jason Boxman @ 2006-03-24 0:20 UTC (permalink / raw)
To: lartc
On Thursday 23 March 2006 11:39, Andraz Sraka wrote:
> On Thu, 2006-03-23 at 16:18 +0000, Roberto Scattini wrote:
> > maybe this url can help you, but my knowledge stops there... :(
> > http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
>
> <http://l7-filter.sourceforge.net/L7-Netfilter-example> sounds
> promising ..
I like L7, but be sure you're ready to write some pattern matches. I've been
using ipp2p[1] and it matches all my p2p traffic. ymmv of course.
[1] http://www.ipp2p.org/
--
Jason Boxman
http://edseek.com/ - Linux and FOSS stuff
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [LARTC] linux box as vlan p2p limiter and firewall?
2006-03-23 10:43 [LARTC] linux box as vlan p2p limiter and firewall? Andraz Sraka
` (7 preceding siblings ...)
2006-03-24 0:20 ` Jason Boxman
@ 2006-03-24 16:54 ` Andraz Sraka
2006-03-24 17:39 ` Klaus
2006-03-24 19:07 ` Jason Boxman
10 siblings, 0 replies; 12+ messages in thread
From: Andraz Sraka @ 2006-03-24 16:54 UTC (permalink / raw)
To: lartc
[-- Attachment #1.1.1: Type: text/plain, Size: 496 bytes --]
re
On Thu, 2006-03-23 at 19:20 -0500, Jason Boxman wrote:
> I like L7, but be sure you're ready to write some pattern matches. I've been
> using ipp2p[1] and it matches all my p2p traffic. ymmv of course.
>
> [1] http://www.ipp2p.org/
can newer 2.6 (2.6.15.x) kernels be patched with ipp2p ? As far as I've
compared the two them, the only difference (that I've noticed) is that
L7 uses patterns from userspace (written somewhere on file system);
regards,
Andraz
[-- Attachment #1.1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 196 bytes --]
[-- Attachment #1.2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 1903 bytes --]
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [LARTC] linux box as vlan p2p limiter and firewall?
2006-03-23 10:43 [LARTC] linux box as vlan p2p limiter and firewall? Andraz Sraka
` (8 preceding siblings ...)
2006-03-24 16:54 ` Andraz Sraka
@ 2006-03-24 17:39 ` Klaus
2006-03-24 19:07 ` Jason Boxman
10 siblings, 0 replies; 12+ messages in thread
From: Klaus @ 2006-03-24 17:39 UTC (permalink / raw)
To: lartc
Hi,
Andraz Sraka wrote:
> re
>
> On Thu, 2006-03-23 at 19:20 -0500, Jason Boxman wrote:
>
>
>>I like L7, but be sure you're ready to write some pattern matches. I've been
>>using ipp2p[1] and it matches all my p2p traffic. ymmv of course.
>>
>>[1] http://www.ipp2p.org/
>
>
> can newer 2.6 (2.6.15.x) kernels be patched with ipp2p ? As far as I've
> compared the two them, the only difference (that I've noticed) is that
> L7 uses patterns from userspace (written somewhere on file system);
Yes and no,
l7filter uses regular expressions as pattern matches, which is slower
and in some situations inaccurate. For exapmle you cannot compare one or
two bytes with the packet length.
example:
http://l7-filter.sourceforge.net/layer7-protocols/protocols/edonkey.pat
<snip>
# God this is a mess. What an irritating protocol.
# This will match about 1% of streams with random data in them!
</snip>
This means 1 % packets will be matched by l7filter as edonkey.
So almost all longer connections will get matched as edonkey, which
might make this filter unusable.
ipp2p is specialized to match p2p traffic by high optimized worst case
stable layer 7 matches. It also tries to avoid missdetections as good as
possible.
I think if you would like to do a complete traffic shaping for
http,ftp,.., try l7filter. But for p2p, I would recommend ipp2p !
regards,
Klaus, maintainer of ipp2p
>
> regards,
> Andraz
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [LARTC] linux box as vlan p2p limiter and firewall?
2006-03-23 10:43 [LARTC] linux box as vlan p2p limiter and firewall? Andraz Sraka
` (9 preceding siblings ...)
2006-03-24 17:39 ` Klaus
@ 2006-03-24 19:07 ` Jason Boxman
10 siblings, 0 replies; 12+ messages in thread
From: Jason Boxman @ 2006-03-24 19:07 UTC (permalink / raw)
To: lartc
Andraz Sraka wrote:
> re
>
> On Thu, 2006-03-23 at 19:20 -0500, Jason Boxman wrote:
>
>> I like L7, but be sure you're ready to write some pattern matches. I've
>> been
>> using ipp2p[1] and it matches all my p2p traffic. ymmv of course.
>>
>> [1] http://www.ipp2p.org/
>
> can newer 2.6 (2.6.15.x) kernels be patched with ipp2p ? As far as I've
> compared the two them, the only difference (that I've noticed) is that
> L7 uses patterns from userspace (written somewhere on file system);
Sure.
jasonb@rebecca:~$ uname -a
Linux rebecca 2.6.15.5-20060312 #1 Sun Mar 12 21:39:12 EST 2006 i686 GNU/Linu
I'm running the latest ipp2p beta on that without incident.
The major difference I've found is that you can (and must) write your own
patterns for L7. The stock patterns, at least for edonkey p2p, doesn't
work. ipp2p works out-of-the-box with what it supports, but you have to
hack C to make any changes.
I can't code C anyway, so I won't be making any changes. Nor do I have time
to perform package analysis on edonkey/Overnet/Kademila so L7 can match
those packets for me as ipp2p does by default.
So, ymmv as I said.
Also, ipp2p must be used in conjunction with CONNMARK whereas you can simply
-j CLASSIFY L7 and you're done. You probably want a CONNMARK paired up with
ipp2p as it generally matches handshake packets only. The mark handles the
rest.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2006-03-24 19:07 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-03-23 10:43 [LARTC] linux box as vlan p2p limiter and firewall? Andraz Sraka
2006-03-23 15:58 ` Carlos Blanquer
2006-03-23 16:10 ` Andraz Sraka
2006-03-23 16:16 ` Andraz Sraka
2006-03-23 16:18 ` Roberto Scattini
2006-03-23 16:28 ` Philip Gaw
2006-03-23 16:29 ` Philip Gaw
2006-03-23 16:39 ` Andraz Sraka
2006-03-24 0:20 ` Jason Boxman
2006-03-24 16:54 ` Andraz Sraka
2006-03-24 17:39 ` Klaus
2006-03-24 19:07 ` Jason Boxman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.