[prev in list] [next in list] [prev in thread] [next in thread] 

List:       l7-filter-developers
Subject:    Re: [l7-filter-developers] Combining rules and searching for file
From:       Matthew Strait <quadong () users ! sourceforge ! net>
Date:       2006-01-25 16:49:46
Message-ID: Pine.LNX.4.62.0601251010180.25276 () physlin13 ! spa ! umn ! edu
[Download RAW message or body]

> I want to filter out P2P traffic based on the application name, file 
> extension and content of file (ie. file name).
> I intend to use a 3 tier approach:
> 1. Match application name  ----if true--->
>        2. Match file extension ---------if true------>
>              3. Match file name.
> Eg. Kazaa ---> mp3 ---> U2 --- DROP
>
> Firstly, is it possible to combine patterns (ie. one rule in iptables 
> filters fasttrack and bittorrent and/or mp3 extension)? Second, can I 
> use L7 to filter based on file name (ie. title of mp3)?

Each stream can only have one l7-filter classification.  See the lower 
half of http://l7-filter.sourceforge.net/layer7-protocols/file_types/README
for my comments on this.

Please note that l7-filter is not intended to be a method for instituting 
highly complex and specific restrictions on users' abilities.  The goal of 
the project is to allow people to use Linux QoS to control the total 
bandwidth usage of P2P (and other) applications.

Trying to use l7-filter to allow filesharing while forbidding copyrighted 
files (which is what it appears you want, unless you just don't like 
U2...) is doomed to fail.  First, copyrighted files cannot be identified 
with any degree of confidence by the file name alone.  You're bound to 
miss a lot of what you want while also catching things you don't. 
Second, users will quickly learn to circumvent file name restrictions by 
obfuscating the names.  Third, if you try to do this, you're putting a 
strong pressure on application writers to encrypt or further obfuscate the 
protocols so that you can't see the file names at all.

See also http://l7-filter.sourceforge.net/HOWTO#blocking

Depending on the protocol, you may find that you can write a set of 
regular expressions that appears to do what you want for some period of 
time, but I will not support them, so I would prefer that they not be 
discussed on the developers mailing list.

-Matthew


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
L7-filter-developers mailing list
L7-filter-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/l7-filter-developers
[prev in list] [next in list] [prev in thread] [next in thread]