From owner-freebsd-net@FreeBSD.ORG Thu Jul 31 15:02:14 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C80601065674 for ; Thu, 31 Jul 2008 15:02:14 +0000 (UTC) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (capeta.freebsdbrasil.com.br [201.48.151.3]) by mx1.freebsd.org (Postfix) with SMTP id 19BC18FC08 for ; Thu, 31 Jul 2008 15:02:13 +0000 (UTC) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 23533 invoked from network); 31 Jul 2008 11:34:10 -0300 Received: by simscan 1.1.0 ppid: 23489, pid: 23492, t: 17.3996s scanners: clamav: 0.91.1/m: spam: 3.1.1 X-Spam-Checker-Version: SpamAssassin: -last, FreeBSD Brasil LTDA rulesets: Yes X-Spam-Status: No, hits=-1.9 required=3.7 Received: from unknown (HELO claire.bh.freebsdbrasil.com.br) (201.48.151.226) by capeta.freebsdbrasil.com.br with SMTP; 31 Jul 2008 11:33:52 -0300 Message-ID: <4891CD13.20600@freebsdbrasil.com.br> Date: Thu, 31 Jul 2008 11:32:51 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Thunderbird 2.0.0.0 (X11/20070612) MIME-Version: 1.0 To: Mike Makonnen References: <48918DB5.7020201@wubethiopia.com> In-Reply-To: <48918DB5.7020201@wubethiopia.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Application layer classifier for ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2008 15:02:14 -0000 Mike Makonnen escreveu: > Hi, > > An Internet Cafe I do some work for was recently having problems with > very slow internet access. It turns out customers were running P2P file > sharing applications which were hogging all the bandwidth. I looked for > programs that would allow me to shape traffic according to the > application layer protocol, but couldn't find any for FreeBSD. I found a > couple: l7-filter and ipp2p, but these are Linux specific. So, I decided > to write one. The result is ipfw-classifyd : > http://people.freebsd.org/~mtm/ipfw-classifyd.tar.bz2 > > As the name implies it uses ipfw(4) to implement a userland daemon that > classifies TCP and UDP packets according to regular expression patterns > for various protocols. It's intended to be used with divert(4) sockets > and dummynet(4) so you can do traffic shaping depending on the > application level protocol. The protocol patterns are from the l7-filter > project. > > Basically, you use ipfw(8) to divert tcp/udp packets to the damon. It > reads its configuration file for a list of protocols and ipfw(8) rules. > Then, when it detects a matching session it re-injects the packet back > at the specified rule number. The tarball has a sample configuration > file and firewall script to get you started. > > While I have not done extensive testing, preliminary tests are > encouraging and it seems to work, so I thought I'd announce it to the > rest of the world in case anyone else is interested in this kind of > application. > > Comments and suggestions highly appreciated. > > Cheers. Wont compile on RELENG_6 but is working perfectly on REL_7. I am trying hard with ssh, soulseek and msn. Its working like a charm with the suggested rc.firewall. I have configured ipfw-classfyd.conf changing the rules, for a number of L7 patterns, and now I try to understand why the "diverted" rules only match if the rule number is 1 after the configured, ie, I put soulseek to 65530 and a rule wont match there, but the very same rule matches 65531. I will read the code, but it seems that reinjection of the packet is made +1, correct? -- Patrick Tracanelli