Custom layer7 pattern doesn't work
I am trying to block outgoing SIP SUBSCRIBE requests using Layer 7. I don't want to block SIP entirely, I just need to block the SUBSCRIBE requests which are annoying for our SIP provider and cannot be disabled on the phones themselves.
I'm running pfSense 2.0.1. It seems that uploading custom patterns doesn't work (when I go to upload section, browse a file and upload it, the browser just returns to the upload page and nothing seems to happen). So I just logged in via ssh and created a new file /usr/local/share/protocols/sip-subscribe.pat. Initially I had a more complex regex in the file, but during testing I have trimmed down the file content to just:
I do understand this is way too broad for real use, but I'm just trying to find out if I can get any L7 blocking working at all. Watching the traffic with tcpdump, I can clearly see SUBSCRIBE in the packets, so this should match.
Anyway, I created a new L7 container named 'sip-subscribe' which only contains the protocol 'sip-subscribe' and added a pass rule on LAN interface in the firewall, specifying 'sip-subscribe' as the L7 container under advanced rule options and setting protocol to TCP/UDP. Everything else (src ip and port, dst ip and port etc) I left as defaults.
When I now run tcpdump on the WAN interface, I can still see that SIP SUBSCRIBE packets are going out to our SIP provider, so blocking doesn't seem to be working.
For testing, I modified my L7 container and changed the protocol from 'sip-subscribe' to 'ftp'. This successfully blocked my attempts to initiate outgoing FTP sessions. So I understand that I basically have L7 filtering set up correctly, there's just something wrong with adding the custom protocol. Do I need to do something more than just put a .pat file into /usr/local/share/protocols ?
P.S. After I had written the post this far, I clicked on "Preview". The browser hung on "Fetching preview". I then understood that I have the word "SUBSCRIBE" in my post. I disabled the firewall rule - the same rule that I've been telling you how I can't get to work - and clicked "Preview" again. This time, and many other times after that, the preview loaded instantly. Coincidence?
P.P.S. I almost left out the most crucial bit of information. After setting all this up, the following message started to appear in messages log, several times a minute:
ipfw-classifyd: unable to write to divert socket: Invalid argument
When I modified to firewall rule and set the dst port to 5060 instead of any, the message no longer appeared, but as I said, blocking still didn't work.
I upgraded to pfSense 2.0.2. Before upgrade I removed /usr/local/share/protocols/sip-subscribe.pat that I had created and also removed the related traffic shaper config and firewall rule. After upgrade, I uploaded the .pat file again, re-created the L7 container and firewall rule. Now I no longer get the "Invalid argument" message or any other error message, but end result is the same - SIP SUBSCRIBE requests are still not blocked.
I vaguely remember reading somewhere that the L7 filter blocks traffic by checking only some packets in the beginning of the session and once state has been established it is beyond the reach of L7 filter. If that's the case then maybe the reason why blocking these SUBSCRIBE messages doesn't work is that they are considered as being "in the middle" of existing session and aren't seen by ipfw-classifyd. I sure can't see what else could be wrong in my setup…