Layer7 removed from traffic shaper
-
On version 2.3, Layer7 was removed because they say it was not really used and cost cpu load and snort works better.
Ok, but my concern is that:
1. previous users are already using this feature, if other users don't use this feature and still some other users uses this, why remove it ? Why dont you just make it like a package where they can remove or install it if they need it ?
2. if snort works better than using layer 7, can we configure snort to apply rules per alias ? or can you atleast give a wiki on how to configure snort to apply certain rules per alias so what we have option after removing layer 7.
-
We didn't remove a working feature that was still used. The primary reason it was removed was because it had been completely broken on 2.2.x and 2.3.x.
The other reasons are reasons it wasn't fixed, and so it was removed instead.
-
How can you say its broken ? What part ?
-
For all of 2.2.x if you assigned an L7 container to a rule, it would not pass traffic at all, no matter how the L7 container was set. It was completely non-functional.
-
Who made it broke if I may ask?
On the other hand, what last version was layer7 functional?
-
Nobody broke it intentionally, it never worked once we moved to a FreeBSD 10.x base, and there was never enough demand for it to spend time/money/resources on fixing it since it was rarely used, slow, and poor at its job of classification. The patterns were years old and not matching current protocols properly.
-
Ok. It was said on pfsense 2.3 that snort was much efficient for it. My problem is, I dont think I can use snort specific rules apply per alias or can you?
Do you have any suggestion to do this in lieue for layer7 removal?
-
Ok. It was said on pfsense 2.3 that snort was much efficient for it. My problem is, I dont think I can use snort specific rules apply per alias or can you?
Do you have any suggestion to do this in lieue for layer7 removal?
Why not try snort and see if it meets your needs rather than preemptively complaining about unknowns?
-
As posted above i am not aware how snort rules can be applied per alias. If it can be, why not.
-
That is a question you have to ask in a new thread in the appropriate board. In this case, the IDP/IPS board under Packages.