Layer7 Issues



  • Hello,

    I am trying to block bittorrent using the Layer7 functionality. I am runing:

    2.0-BETA4 (i386)
    built on Sun Nov 14 18:24:18 EST 2010
    FreeBSD 8.1-RELEASE-p1

    First I created the following l7 rule group:

    Then I created the following floating firewall rule: (Pass, LAN, TCP/UDP, any, any, l7 BitTorrent container, log):

    The entries appear to be showing up in the logs, but nothing is actually being blocked. I am able to download from Pirate Bay using uTorrent with no issue. What am I doing wrong?



  • And here's the log if it helps any.



  • Try selecting quick on that floating rule but that will get you wide open firewall.
    Or just try putting direction out and see if that works.
    The best place would be your default LAN rule, if you have only that rule on LAN.



  • The problem with applying it to the default LAN rule is that you have to change it to TCP/UDP, which means you'd have to create a second rule to allow the rest of the protocols. But either way, I changed the default LAN rule to TCP/UDP and applied the L7 container to it, still doesn't work. So then I changed the default LAN rule back and created a new rule above the default LAN rule and applied the L7 container to it, still didn't work. I tried setting the floating rule to In, Out, and Any, still didn't work. Any other suggestions? I have read other posts where people are saying that this works great. I wonder what I'm doing wrong.



  • BTW it will not detect encrypted bittorrent.



  • I'm fine with that. This layer7 filter along with the Captive Portal and OpenDNS is sufficient for what we're trying to accomplish. But if I can't get this working then I need to look elsewhere.



  • Did you already try this with snort?



  • No, I have not tried it with snort. Is it easy to accomplish with snort? I just figure that this is exactly what this layer7 functionality is for. So nobody else has tried using this yet? Or if they have it's working perfectly for them?



  • Just updated to the latest build (built on Sat Nov 27 04:12:08 EST 2010) and still no go. I have tried setting it with one floating rule (in/out), two floating rules (one in, one out), a rule before the default LAN rule, and on the default LAN rule itself. I have tried all those rules with tcp, udp, and tcp/udp. The entries still show up in the firewall log, but nothing is actually being blocked. I'm getting down to crunch time now. I've been rocking pfSense for a quite some time now and love it, but this is probably a deal breaker for me going forward. I really don't want to start putting in ASA's (cost and ease of administration).



  • I have had that same problem this days (somewhat different, not L7), but similar. I wanted to block certain traffic which worked fine before but now not. Tried the same things with rules everywhere with no success. Due to that i was thinking that me is/was not able to do this job, tried it with v1.2.3 and it worked instantly.



  • Last night I tried (with an up-to-date snapshot) to add a Layer 7 rule to block SSH (and added HTML later as well as a test) to an existing LAN Pass rule. It blocked neither, though the traffic was logged as being outbound based on that rule, so it was that rule being applied, but nothing was blocked based on Layer 7.



  • So is this a bug then? If so, how do I go about submitting it? I saw some posts from earlier in the year where people had said this was working great for them. Maybe it worked in the earlier 2.0 builds?



  • Bugtracker is at http://redmine.pfsense.org/projects/pfsense/issues

    Whether it's a bug or not isn't my call, but I'd certainly call the lack of functionality on my end a bug, unless I'm doing it totally wrong. But I read a couple of threads about it, I'm pretty sure I'm doing what I'm supposed to be doing for it to work. If you submit it, the devs will make the call :-)



  • its an old issue (6 months) that never got fixed, check this: http://redmine.pfsense.org/issues/636



  • I see you added a comment to the bug, I did as well. Hopefully it gets addressed soon.



  • Agree, I havnt been able to get this working either.

    Oh while im here, does anyone know how to create different protocol containers to match a particular application? There is a fair few in the list but not everything i require.

    Regards,



  • Voona maybe take a minute to add a comment to the bug? As for custom sigs, they mention it in the L7 portion of the traffic shaping guide. I'm guessing eventually they'll have their own write-up for it, but for now they mention taking a look at the sourceforge page.

    http://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Layer_7

    http://l7-filter.sourceforge.net/Pattern-HOWTO


Log in to reply