Adding the deep packet inspection to the firewall using NDPI

Continuing the discussion from Road to NS 7 RC:

Wow I love this feature :slight_smile: hope we can get it to work

1 Like

The nDPI feature is ready for testing!

1 Like

It might be a real killer feature, we need to deeply test it! @vhinzsanchez @Nas @matteoarlotti and @quality_team
Please help us to collect every scenarios!

no experience on DPI yet…I’ll try maybe nextweek. I’ll have to reformat my test server.

A good scenario would be a school or non-profit organisation wanting to block certain content for moral or legal reasons.

Test case 1:

installation done without issue
Machine: NS7 beta 2 virtualbox, 2 nics (1x green, 1x red)
installed packages: nsdc, proxy, fileserver, basicfirewall

reboot machine o.k. (a little slower then before, but that doesn’t matter)

[root@ns7test ~]# uname -r
4.4.19-1.el7.elrepo.x86_64

[root@ns7test ~]# lsmod | grep xt_ndpi | head -n1
xt_ndpi 491520 0

[root@ns7test /]# grep ndpi /etc/shorewall/modules
loadmodule xt_ndpi

[root@ns7test /]# grep ndpi /etc/shorewall/shorewall.conf
MODULESDIR=+extra/xt_ndpi

Test case will follow…

4 Likes

created firewall rule any/any/facebook and any/any/youtube. both worked.
facebook and youtube were blocked. :smiling_imp:

2 Questions:
Is there a list of possible dpi protocols?
How to block a simple url with dpi? Possible?

Test 3: I can’t do. Sorry, no 2nd provider. :blush:

2 Likes

Yes:
http://docs.nethserver.org/en/v7b/firewall.html#deep-packet-inspection-dpi

No it’s not, the DPI module works on tcp/udp connections level.

5 Likes

Done! Thanks to all for the testing job! :clap:

3 Likes