* Firewall L7
@ 2007-04-18 12:38 Stephan Higuti
2007-04-18 12:42 ` Pablo Sanchez
2007-04-18 12:44 ` Leonardo Rodrigues Magalhães
0 siblings, 2 replies; 8+ messages in thread
From: Stephan Higuti @ 2007-04-18 12:38 UTC (permalink / raw)
To: netfilter
Hello guys.
I have a firewall L7 as a bridge in my work.
The firewall are blocking Gmail, Hotmail, and attachments from my mail
server....
Anybody can help me? =D
Best Regards
Stephan
--
---------------------------------------------------------------------
Stephan Higuti
MSN: higutisam@hotmail.com
Email: higuti.sam@gmail.com
---------------------------------------------------------------------
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Firewall L7
2007-04-18 12:38 Firewall L7 Stephan Higuti
@ 2007-04-18 12:42 ` Pablo Sanchez
2007-04-18 12:44 ` Leonardo Rodrigues Magalhães
1 sibling, 0 replies; 8+ messages in thread
From: Pablo Sanchez @ 2007-04-18 12:42 UTC (permalink / raw)
To: netfilter
On Wednesday 18 April 2007 at 8:38 am, Stephan Higuti etched:
> Hello guys.
>
> I have a firewall L7 as a bridge in my work. The firewall are
> blocking Gmail, Hotmail, and attachments from my mail server....
> Anybody can help me? =D
If you have a home server, you can tunnel from work to it and
circumvent the 'problem'
Depending on what you're running on your desktop at work (Unix or
Windows), you can use either ssh or putty, to create a local SOCKS
server, which tunnels to your home server.
If work blocks port 22, setup your sshd daemon at home to listen to
port 443. ;)
Cheers,
---
pablo
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Firewall L7
2007-04-18 12:38 Firewall L7 Stephan Higuti
2007-04-18 12:42 ` Pablo Sanchez
@ 2007-04-18 12:44 ` Leonardo Rodrigues Magalhães
2007-04-19 18:15 ` Stephan Higuti
1 sibling, 1 reply; 8+ messages in thread
From: Leonardo Rodrigues Magalhães @ 2007-04-18 12:44 UTC (permalink / raw)
To: Stephan Higuti; +Cc: netfilter
What is your question ? What is your problem ?? Please tell us whats
wrong ....
Or .... are you trying to bypass your work blocking rules ???? is that ?
Stephan Higuti escreveu:
> Hello guys.
>
> I have a firewall L7 as a bridge in my work.
> The firewall are blocking Gmail, Hotmail, and attachments from my mail
> server....
> Anybody can help me? =D
>
>
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Firewall L7
2007-04-18 12:44 ` Leonardo Rodrigues Magalhães
@ 2007-04-19 18:15 ` Stephan Higuti
[not found] ` <6bb85d880704191258r4b3638adye6669cee42b16485@mail.gmail.com>
0 siblings, 1 reply; 8+ messages in thread
From: Stephan Higuti @ 2007-04-19 18:15 UTC (permalink / raw)
To: Leonardo Rodrigues Magalhães; +Cc: netfilter
My rulez....
## Limpando as regras do IPTABLES
iptables -F
iptables -t nat -F
iptables -t mangle -F
## Ativando repasse de pacotes ##
echo 1 > /proc/sys/net/ipv4/ip_forward
## instalando modulos do IPTABLES ##
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ipt_conntrack
modprobe ip_conntrack_ftp
modprobe ip_tables
modprobe ipt_LOG
modprobe ipt_limit
modprobe ipt_REJECT
modprobe ipt_layer7
# Criando NAT para toda a rede.
#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
## Ativando regras do Layer 7
# Bloqueando de skype para skype
iptables -A FORWARD -m layer7 --l7proto skypetoskype -j DROP
# Bloqueando o Skypeout
iptables -A FORWARD -m layer7 --l7proto skypeout -j DROP
# Bloqueando o Messenger
#iptables -A FORWARD -m layer7 --l7proto msnmessenger -j DROP
#iptables -A PREROUTING -m layer7 --l7proto msnmessenger -j DROP
iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP
#Bloqueando o Goddamn ORKUT por string usando o Algoritmo bm (pode-se
usar o km tambem)
iptables -t filter -A FORWARD -m string --string "orkut" -j DROP --algo bm
#Bloquendo torrents
iptables -t filter -A FORWARD -m layer7 --l7proto bittorrent -j DROP
# Mudando para Statefull
#iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
These rules are blockin' gmail, hotmail and my mail server.....
But its just a few rulez....
Some wrong?
Cheers
Stephan
--
---------------------------------------------------------------------
Stephan Higuti
MSN: higutisam@hotmail.com
Email: higuti.sam@gmail.com
---------------------------------------------------------------------
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Firewall L7
[not found] ` <6bb85d880704191258r4b3638adye6669cee42b16485@mail.gmail.com>
@ 2007-05-11 17:53 ` Stephan Higuti
[not found] ` <4644CC76.80502@zensoluciones.com>
0 siblings, 1 reply; 8+ messages in thread
From: Stephan Higuti @ 2007-05-11 17:53 UTC (permalink / raw)
To: Juan León; +Cc: netfilter
Thanks for help guys!
It works!
Just another question....
What I do to let a free IP behind my Bridge firewall (L7)?
I need an Ip that can acess all.......
Best Regards
Stephan
On 4/19/07, Juan León <debjuanca@gmail.com> wrote:
>
> Hi Stephan, with my experience firewalling, you can try using this rules
> with yours.
>
> Lets take a close look of your rules.
>
>
> #iptables -t filter -A FORWARD -m string --string "orkut" -j DROP --algo bm
>
> Maybe this line is associated with gmail, I suggest you use a proxy to match
> strings like orkut.
> Read Oscar Adreasson's paragraph.
>
> "For example, if we use a string match and match for a specific string
> inside the packet, lets say get /index.html. Will that work? Normally, yes.
> However, if the packet size is very small, it will not. The reason is that
> iptables is built to work on a per packet basis, which means that if the
> string is split into several separate packets, iptables will not see that
> whole string. For this reason, you are much, much better off using a proxy
> of some sort for filtering in the application layer"
>
>
> For hotmail your can add this line just above of every FORWARD line, see
> "-I", the same with your mail.server.com
>
> #iptables -I FORWARD -d www.hotmail.com -j ACCEPT
> #iptables -I FORWARD -d mail.server.com -j ACCEPT
>
>
> Hope this help.
>
>
>
> 2007/4/19, Stephan Higuti <higuti.sam@gmail.com>:
> > My rulez....
> >
> > ## Limpando as regras do IPTABLES
> > iptables -F
> > iptables -t nat -F
> > iptables -t mangle -F
> >
> > ## Ativando repasse de pacotes ##
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> >
> > ## instalando modulos do IPTABLES ##
> > modprobe iptable_nat
> > modprobe ip_nat_ftp
> > modprobe ip_conntrack
> > modprobe ipt_conntrack
> > modprobe ip_conntrack_ftp
> > modprobe ip_tables
> > modprobe ipt_LOG
> > modprobe ipt_limit
> > modprobe ipt_REJECT
> > modprobe ipt_layer7
> >
> > # Criando NAT para toda a rede.
> > #iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
> >
> > ## Ativando regras do Layer 7
> > # Bloqueando de skype para skype
> > iptables -A FORWARD -m layer7 --l7proto skypetoskype -j DROP
> >
> > # Bloqueando o Skypeout
> > iptables -A FORWARD -m layer7 --l7proto skypeout -j DROP
> >
> > # Bloqueando o Messenger
> > #iptables -A FORWARD -m layer7 --l7proto msnmessenger -j DROP
> > #iptables -A PREROUTING -m layer7 --l7proto msnmessenger -j DROP
> > iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP
> >
> > #Bloqueando o Goddamn ORKUT por string usando o Algoritmo bm (pode-se
> > usar o km tambem)
> > iptables -t filter -A FORWARD -m string --string "orkut" -j DROP --algo bm
> >
> > #Bloquendo torrents
> > iptables -t filter -A FORWARD -m layer7 --l7proto bittorrent -j DROP
> >
> > # Mudando para Statefull
> > #iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >
> >
> > These rules are blockin' gmail, hotmail and my mail server.....
> > But its just a few rulez....
> > Some wrong?
> >
> > Cheers
> >
> > Stephan
> >
> > --
> >
> ---------------------------------------------------------------------
> > Stephan Higuti
> > MSN: higutisam@hotmail.com
> > Email: higuti.sam@gmail.com
> >
> ---------------------------------------------------------------------
> >
> >
>
>
--
---------------------------------------------------------------------
Stephan Higuti
MSN: higutisam@hotmail.com
Email: higuti.sam@gmail.com
---------------------------------------------------------------------
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Firewall L7
[not found] ` <4644CC76.80502@zensoluciones.com>
@ 2007-05-14 17:17 ` Stephan Higuti
2007-05-14 18:13 ` Fernando R. Durso
2007-05-14 20:03 ` Jan Engelhardt
0 siblings, 2 replies; 8+ messages in thread
From: Stephan Higuti @ 2007-05-14 17:17 UTC (permalink / raw)
To: Sébastien CRAMATTE; +Cc: netfilter
Thankz guys!
My block rules isn't works!
I'm using this rules to block msn protocol...
iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP
Any idea?
Best Regards
Stephan
-
---------------------------------------------------------------------
Stephan Higuti
MSN: higutisam@hotmail.com
Email: higuti.sam@gmail.com
---------------------------------------------------------------------
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Firewall L7
2007-05-14 17:17 ` Stephan Higuti
@ 2007-05-14 18:13 ` Fernando R. Durso
2007-05-14 20:03 ` Jan Engelhardt
1 sibling, 0 replies; 8+ messages in thread
From: Fernando R. Durso @ 2007-05-14 18:13 UTC (permalink / raw)
To: Stephan Higuti, netfilter
give an ls /lib/iptables/ or /usr/lib/iptables or wherever your iptables
libs are and look for
libipt_layer7.so if you don't find it it's because your kernel and/or
iptables compilation has failed.... by the way you can remove the "-t
filter"
Stephan Higuti escreveu:
> Thankz guys!
>
> My block rules isn't works!
> I'm using this rules to block msn protocol...
>
>
> iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP
>
>
> Any idea?
>
> Best Regards
>
> Stephan
>
> -
> ---------------------------------------------------------------------
> Stephan Higuti
> MSN: higutisam@hotmail.com
> Email: higuti.sam@gmail.com
> ---------------------------------------------------------------------
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Firewall L7
2007-05-14 17:17 ` Stephan Higuti
2007-05-14 18:13 ` Fernando R. Durso
@ 2007-05-14 20:03 ` Jan Engelhardt
1 sibling, 0 replies; 8+ messages in thread
From: Jan Engelhardt @ 2007-05-14 20:03 UTC (permalink / raw)
To: Stephan Higuti; +Cc: netfilter
On May 14 2007 14:17, Stephan Higuti wrote:
>
> My block rules isn't works!
That is _not_ a precise error description.
> I'm using this rules to block msn protocol...
> iptables -t filter -A FORWARD -m layer7 --l7proto msnmessenger -j DROP
Jan
--
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2007-05-14 20:03 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-04-18 12:38 Firewall L7 Stephan Higuti
2007-04-18 12:42 ` Pablo Sanchez
2007-04-18 12:44 ` Leonardo Rodrigues Magalhães
2007-04-19 18:15 ` Stephan Higuti
[not found] ` <6bb85d880704191258r4b3638adye6669cee42b16485@mail.gmail.com>
2007-05-11 17:53 ` Stephan Higuti
[not found] ` <4644CC76.80502@zensoluciones.com>
2007-05-14 17:17 ` Stephan Higuti
2007-05-14 18:13 ` Fernando R. Durso
2007-05-14 20:03 ` Jan Engelhardt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox