Shorewall & Layer7-Support

Pette · Posted: Sat Aug 12, 2006 11:40 am Post subject: Shorewall & Layer7-Support

Hey there.
Is there anyone who has shorewall running with layer7-support?
Is there a good howto on this somewhere? I found some howtos for layer7 and some for shorewall, but not one for both.

Any help appreciated.

Greetz, Pette.

Pette · Posted: Mon Aug 14, 2006 4:03 pm Post subject:

Has noone really ever made an attempt on this? I would be very interested!

thepustule · Posted: Mon Aug 14, 2006 8:27 pm Post subject:

A little more specific example of what you are trying to do would help.

-Craig- · Guru Joined: 03 Jun 2004 Posts: 333

I guess things like filtering a website that contains a certain word?
Or filtering outgoing HTTPS (HTTP CONNECT) to port 443 that contains something like "SSH-2.0-OpenSSH_4.3" ?
Well, iptables is capable of filtering strings since 2001: http://www.securityfocus.com/infocus/1531

Or check this out: http://l7-filter.sourceforge.net/

Pette · Posted: Mon Aug 14, 2006 9:53 pm Post subject:

thepustule · Posted: Mon Aug 14, 2006 10:58 pm Post subject:

I'd be worried about how much this might slow your network throughput or raise cpu during high traffic

-Craig- · Guru Joined: 03 Jun 2004 Posts: 333

I'd have a try at least...

assaf · Posted: Tue Aug 15, 2006 10:45 am Post subject:

I used the l7-filter package a while back to do some traffic shaping. It worked okay I guess, until a kernel upgrade broke it. Also in the meantime a newer shorewall version was released that has internal traffic shaping and allows you to write rules for user/group. So I started using that instead (I run file sharing progs under p2p user, so I use that for shaping).

Pette · Posted: Tue Aug 15, 2006 6:49 pm Post subject:

assaf · Posted: Tue Aug 15, 2006 8:05 pm Post subject:

Pette · Posted: Fri Aug 18, 2006 9:33 pm Post subject: