L7 not functional
-
Hello pfSense community :)
there is something weired going on with the L7 functionality.
I've tried for hours to get it working, without success - the problems are (running version: pfSense-2.0-ALPHA-ALPHA-2g-20091205-2144-nanobsd-upgrade) :only one pattern out of the 5 i've tried got detected at pattern matching : shoutcast
L7 - Container voice:
-ventrillo
-skyetoskype
-teamspeak
-shoutcastL7 - Container ftp:
-ftpIn my tests, i only activated one L7-container at once. When activating the voice container, just shoutcast is recognized as found-pattern while running shoutcast - the other protocols aren't getting caught.
Even the standalone ftp container isn't working. This seems a bit strange to me, since the FTP pattern is marked to be best quality at http://l7-filter.sourceforge.net/protocols.
I rebooted pfsense after each change, just to be sure.
The ipfw-classifyd loads at the system logs are okay, e.g. for my ftp container : ipfw-classifyd: Loaded Protocol: ftp (rule action block)
But i only get "Found Protocol" for shoutcast :
ipfw-classifyd: Found Protocol: shoutcast (…) -> refering to scenario1 shown in 2)enabling these L7 filters at Firewall -> Rules -> LAN
(i followed the instructions from http://roadtoqos.wordpress.com/) …. as shown in the screenshots i used as source adress my home pc , but i've also tried with source : any
my WAN / LAN settings are :
scenario1:
when setting up the L7 filter (shown as deactivated LAN-rule : L7 Voice and Stream) as first rule - some strange things happen:-after establishing ANY connection with ANY protocol, after about 20-30s the connection gets lost to my home Pc (shown as myPC in the settings)
-the pattern detection for shoutcast is here working (the others still don't) only for queues, block doesn't work even for this one … when trying to block shoutcast, the system log shows : ipfw-classifyd: Found Protocol: shoutcast (rule action block) - but no block occursexample firewall Logs for connection drops
http
shoutcast
scenario2:
when setting up the L7 filter (shown as deactivated LAN-rule : L7 Voice and Stream) as last rule just before block everything :
-not even the L7 Shoutcast filter works (neither block nor putting it to a specified queue)
-no connection dropsdid i something wrong or is there a bug in the L7 system ?
-
Please post your /tmp/rules.debug and a ps -ax command output.
It would be good if i can have you config.xml to see if anything is wrong too.
-
you've got a pm with the files
-
Please try the latest snapshot.
-
with the actual snapshot 12/12/09 L7 is still broken.
at first i've installed the "update" version , then a full install with a brand new config - no change at allso still :
-after enabling a random L7 rule (eg. FTP or shoutcast, doesn't matter which one) : the firewall drops now every connection to the WAN after a few seconds as shown in my first post regardless of the protocol used.
-assigning a L7 rule to block , doesn't block the specified L7-protocolnew since this version :
I created 4 L7 container, each of them containing only one L7 pattern assigned to a queue (with or without assigning the containers as firewall rule, doesn't matter):
Systemlog:
ipfw-classifyd: could not get ALTQ translation for queue qOthersHigh
ipfw-classifyd: could not get ALTQ translation for queue qOthersHigh
ipfw-classifyd: could not get ALTQ translation for queue qOthersDefault
ipfw-classifyd: could not get ALTQ translation for queue qOthersHighps:
-a bug i've seen during install : http://incubi.cwsurf.de/files/pfsense/bug.txt
-since the new version : i can't log in with ssh using my ssh-rsa key -> it is being rejected … password login still works (privileges : WebCfg - All pages, User - System - Shell account access) -
update :
running version pfSense-2.0-ALPHA-2g-20091213-1725-nanobsd-upgrade now
just tested again, and can now give more specific details about the L7-block issue :
-blocking a L7 protocol works, until the firewall blocks a not by the L7 matched traffic (which it shouldn't , like established http traffic as shown in the first post)
-when this happens, one can establish a connection with the blocked L7 protocol. -
update :
running version pfSense-2.0-ALPHA-2g-20091213-1725-nanobsd-upgrade now
just tested again, and can now give more specific details about the L7-block issue :
-blocking a L7 protocol works, until the firewall blocks a not by the L7 matched traffic (which it shouldn't , like established http traffic as shown in the first post)
-when this happens, one can establish a connection with the blocked L7 protocol.I've stumbled with this same issue also for a long time. Is this problem already fixed?
BR,
Tommi