Layer 7 filtering

Good day,

I would like to ask if it is possible to block p2p bandwidth using NS (ipp2p or layer-7 filtering). I wanted to put a break on downloading files via torrent other P2Ps. It was in the roadmap 2 years ago as per http://dev.nethserver.org/issues/1770.

On documentation, it states that it can block P2P traffic by the IPS module’s Security settings, but I do not see any options to perform it. What I have found are the following:

• Traffic Shaping
• Firewall Objects and create a rule

However, since a lot of p2p applications are port hoppers, it will fail to do its purpose.

If not, I would like to add this to feature request for easy administration.

I did some tests in the past with ipp2p and it’s no longer effective.
I didn’t test l7-filter, is there anybody with experience?
Cisco OpenAppId seems promising, I have a working prototype for detection using snort, but it’s not really effective in blocking.
Something like l7-filter or ndpi would have my preference, because we could write firewall rules using the protocol as a selector.

I will be happy to develop this feature if someone with experience helps me.

Unfortunaly, I don’t have the experience in this domain…

Digging the pfsense doc ( https://doc.pfsense.org/index.php/Layer_7 ), there’s a link forwarding to Clearos ( The protocol patterns are from the L7-filter project )

i have implement L7 for iptables , but not for Shorewall

http://sourceforge.net/p/shorewall/mailman/message/16413273/

I could not help by coding, but perhaps one or two suggestion(s) can give the light.
Are the guys from the BackBox project ( from Italy ) http://www.backbox.org/ could help?

There’s some news about the layer 7 filtering?
We use nethserver on our university webradio in Cesena, and for the agreement with GARR (our internet provider) I need to prevent the use of torrent to all ones that use our lan and wireless network.
Thanks, Matteo

Hi Matteo,

I think you can prevent torrent access from Gateway → Web content filter → Blacklists: Shalla (free for non-commercial use).

Then, from Gateway → Web content filter → Filters → Default filter → Edit: select from Categories → Downloads.

http://www.shallalist.de/categories.html

I know is not Layer 7 but could help.

This blocks site navigation. Someone can have uTorrent or similar already open on his notebook, and when it connect to our WiFi, starts to share. I need to prevent this, not the navigation

Another workaround for this could be to close all outgoing ports and open only HTTP, HTTPS, IMAP, POP3, DNS, for the BLUE Zone (usually used for Guest WiFI).

This could be a working solution. I’ll try next week. Thanks!

You are welcome!
Also, you can combine the two solutions!

We have just a new shining layer 7 filter ready for test!

See:

Manual:

http://docs.nethserver.org/en/v7b/firewall.html#deep-packet-inspection-dpi

WOW!
Continuing in this way, in a short time, I could replace my Endian UTM with NS7 UTM!

Yay! L7-filter is the answer we have been looking for! Now a complete gateway appliance! Can’t wait to test it nextweek

Let me know if you need some people to test the Layer 7 testing

yes of course…see issue and instructions on GitHub

Hi guys,

I read here:

http://docs.nethserver.org/en/v7rc/firewall.html#deep-packet-inspection-dpi

that there must be something regarding “a customised Linux kernel with the additional xt_ndpi module” in the Software center (NS 7RC1) but I don’t find anything there.

Maybe is “hidden” in another package? Which package?

TIA,
Gabriel

EDIT:

Why DPI package is in the Everything section of the Software center and not in the Firewall section?

OK!
I got it!
When you select and install DPI module, the new kernel is added as dependencies!

Remains this: Why DPI package is in the Everything section of the Software center and not also in the Firewall section?

Capture.PNG1280×1024 113 KB