Using L7 to block traffic



  • I am looking for a way to block p2p apps (using layer7) and would like to use squid.  I want to configure to be a transparent bridge between another pfsense router and my lan.

    I have started playing with 2.0 at home (Not production) and it looks like all the features I need are there.  With the exception that I can’t actually seem to make it block traffic via layer7.  I've been testing it with a very simple lan/wan NAT setup.  Using utorrent to test and layer7 enabled and set to block bit torrent as well as a few other p2p apps.  Is there more information on how this should work?  Is L7 currently working in the latest snapshots.  If it is then I must be doing something wrong.  If it is not I will wait patently.



  • Squid is not a firewall and as such, you're not going to have much luck getting it to block traffic.  Squid is a proxy server and can be used to block access to websites though using access control lists.  You can use addons like SquidGuard and DansGuardian or you can write your own ACLs.  But if you want to block P2P traffic, Squid can't help you. :)



  • I apologize for not being more specific.  I should have said that I would ALSO like to use squid in the same box.  I already use pfsense firewalls.  What I want to be able to do is use another pfsense box as a filtering bridge.  I want to use L7 to block p2p.  (That's what I can't get to work.) And if possible I would like to use squid (in the same box) to reduce bandwidth consumption.  I'm not sure if sguid will work on a transparent bridge but that is of secondary concern.  What I am really trying to do is make use of the L7 filtering.



  • Is it so difficult for yo upeople to just say what did you try?
    How did you try? (possibly with screenshots)
    What do you except that every member of a forum that writes i cannot use my brain we should reply?!



  • I am used to figuring these things out on my own.  I understand that 2.0 is still in the early alpha stages.  I have tried several differnet things.  All I want to know is if this new feature is currently funtional AT ALL in the latest snapshots.  If it is I will continue to play with it untill I make it work.  If it is not currently functional I am going to wait patiently and not wast my (or your) time.  Normaly I can find all the information I need in the forum already but there is not much on this feature.



  • It is working as it was tested with bridge under 60-80mbit/s of real ISP traffic blocking p2p.

    Though there might be corner cases to it, that is why i am here asking for information.



  • Great news.  That's exactly how I want to set it up.  I created the bridge by assigning 2 interfaces (with out ips), then assigned bridge0 as an opt interface set to receive an ip via DHCP.  I adjusted the advanced settings to enable filtering on bridged interfaces.  I then went to the traffic shaper L7 tab.  I added and enabled a rule specifying each p2p app in the list with action set to block.  In order to allow traffic through the bridge I added "allow all" rules to the interfaces.  I was able to pass traffic but I was also able to use bittorrent.  So I tried adding a block rule that applied to all protocols and at the bottom selected the L7 container I had created.  And put this rule at the top of the list. Thinking that this would block all traffic that matched the L7 rules.  Apparently I was wrong because this caused the bridge to block all traffic.  So I guess my next question is do I need a firewall rule in order to implement the L7 container?  If so could you give me an example?  Or could you post an example of your working configuration and I can take it from there?



  • You just create a rule for tcp or udp protocol and add the layer7 container to it. That's all is to it.
    There is a trick if you want to do this on the bridge assinged interface you have to change the sysctl under system advanced to:

    net.link.bridge.pfil_member=0
    net.link.bridge.pfil_bridge = 1

    or leave it untouched and just create the rule on the specific member interfaces.



  • So should the rule be (BLOCK)-(tcp/udp-any source or dest ip and port)-(L7 container)?  Because I tried that and it blocked ALL tcp/udp traffic.  Or should it be (PASS)-(tcp/udp-any source or dest ip and port)-(L7 container)? If it is supposed to be BLOCK then I must have just done something stupid without realizing it.

    Note: I got it.  hanks for the help.  I just didn't understand how the firewall rules applied the L7 package.  Once I added a Pass rule with the L7 container it worked great.  Thanks again



  • Just for completness.

    The layer7 rules override the rule decision. Usually there is no need to block everything and apply a layer7 rule to it!
    At least until we can support layer7 pass rules somehow(which i do not have plans to do for now or without being convinced to do so.)
    I will add some validation rules so people do not get confused with this and can understand what they are doing wrong from the validation error message.



  • Hi all,
    i cannot get layer7 working …

    I added an l7 container "test" with just one protocol for test (subversion, but tried also with ssh, ...)
    l7 is flagged, i guess it means enabled, because if not the "test" container does not appear in the rules l7 combo box

    I added a rule in the floating zone with:

    • action: pass
    • TCP/UDP protocol
    • interface "LAN" (if i choose LAN & WAN, EVERYTHING gets blocked)
    • direction, source, dest: any, any, any
    • Layer7: "test"

    nothing gets blocked
    even if i turn on the "Log packets that are handled by this rule", nothing appears in the firewall log

    any suggestion on what i could test/log/... ?

    thanks in advance



  • i tried to put the rule in the LAN part (instead of the FLOATING part), just before the last default allow rule.
    i created a new l7 container, just blocking "dns" requests
    i put a new rule with protocol UDP & layer7 as the new container with "dns" block
    i am able to log the pass action, i see the dns requests in the log with pass action
    the dns request is logged but not blocked.

    the rule looks working but it looks the either it is not passed to the l7 container or the l7 is not blocking



  • It seems that ipfw_classifyd is missing from recent snapshots. Here is the relevant init string from /etc/inc/shaper.inc :
        $ipfw_classifyd_init = "/usr/local/sbin/ipfw-classifyd -n 5 -q 700 -c {$path} -p " . $l7rules->GetRPort() . " -P /usr/local/share/protocols";
    and ls output is
      # ll /usr/local/sbin/ipfw-classifyd
      ls: /usr/local/sbin/ipfw-classifyd: No such file or directory
    I tried snapshot pfSense-2.0-ALPHA-ALPHA-20090804-1708.iso.gz and then upgraded to pfSense-2.0-ALPHA-ALPHA-20090819-2349.iso.gz

    Thanks



  • I just wanted to confirm that ipfw_classifyd is also missing from 2.0-ALPHA-ALPHA built on Sat Aug 22 01:39:53 UTC 2009 FreeBSD 7.2-RELEASE-p3 nanobsd platform, thus dashing my dreams of smiting flash video streams to 50kbits per user. :) Devs, I know you'r busy, and this is alpha, so no problem.  I'll check again in a few weeks to see if it made its way back in.

    Would it be useful to add ipfw_classifyd to the services status menu?
    Josh

    @hracht:

    It seems that ipfw_classifyd is missing from recent snapshots. Here is the relevant init string from /etc/inc/shaper.inc :
        $ipfw_classifyd_init = "/usr/local/sbin/ipfw-classifyd -n 5 -q 700 -c {$path} -p " . $l7rules->GetRPort() . " -P /usr/local/share/protocols";
    and ls output is
       # ll /usr/local/sbin/ipfw-classifyd
       ls: /usr/local/sbin/ipfw-classifyd: No such file or directory
    I tried snapshot pfSense-2.0-ALPHA-ALPHA-20090804-1708.iso.gz and then upgraded to pfSense-2.0-ALPHA-ALPHA-20090819-2349.iso.gz

    Thanks



  • @ermal:

    At least until we can support layer7 pass rules somehow(which i do not have plans to do for now or without being convinced to do so.)
    I will add some validation rules so people do not get confused with this and can understand what they are doing wrong from the validation error message.

    Did I get you right, Ermal?

    Is it really so that you cannot use L7-filtering to anything else than blocking? If that's the case, then I can not undestand why there are other rules in the container than Action + Block?

    I thought that one has several options: To throttle (via Limiter), To forward (to a certain queue) and thirdly block using action. My intention is use Traffic Shaping to throttle P2P, not to block it totally.

    @hracht:

    It seems that ipfw_classifyd is missing from recent snapshots. Here is the relevant init string from /etc/inc/shaper.inc :
        $ipfw_classifyd_init = "/usr/local/sbin/ipfw-classifyd -n 5 -q 700 -c {$path} -p " . $l7rules->GetRPort() . " -P /usr/local/share/protocols";
    and ls output is
      # ll /usr/local/sbin/ipfw-classifyd
      ls: /usr/local/sbin/ipfw-classifyd: No such file or directory
    I tried snapshot pfSense-2.0-ALPHA-ALPHA-20090804-1708.iso.gz and then upgraded to pfSense-2.0-ALPHA-ALPHA-20090819-2349.iso.gz

    BTW, Layer7 works very well in blocking P2P, so the missing file is now available in the newest snapshots..

    BR,

    Tommi

    edit: Some proof reading


Log in to reply