[prev in list] [next in list] [prev in thread] [next in thread]
List: l7-filter-developers
Subject: Re: [l7-filter-developers] Combining rules and searching for file
From: Matthew Strait <quadong () users ! sourceforge ! net>
Date: 2006-01-25 16:49:46
Message-ID: Pine.LNX.4.62.0601251010180.25276 () physlin13 ! spa ! umn ! edu
[Download RAW message or body]
> I want to filter out P2P traffic based on the application name, file
> extension and content of file (ie. file name).
> I intend to use a 3 tier approach:
> 1. Match application name ----if true--->
> 2. Match file extension ---------if true------>
> 3. Match file name.
> Eg. Kazaa ---> mp3 ---> U2 --- DROP
>
> Firstly, is it possible to combine patterns (ie. one rule in iptables
> filters fasttrack and bittorrent and/or mp3 extension)? Second, can I
> use L7 to filter based on file name (ie. title of mp3)?
Each stream can only have one l7-filter classification. See the lower
half of http://l7-filter.sourceforge.net/layer7-protocols/file_types/README
for my comments on this.
Please note that l7-filter is not intended to be a method for instituting
highly complex and specific restrictions on users' abilities. The goal of
the project is to allow people to use Linux QoS to control the total
bandwidth usage of P2P (and other) applications.
Trying to use l7-filter to allow filesharing while forbidding copyrighted
files (which is what it appears you want, unless you just don't like
U2...) is doomed to fail. First, copyrighted files cannot be identified
with any degree of confidence by the file name alone. You're bound to
miss a lot of what you want while also catching things you don't.
Second, users will quickly learn to circumvent file name restrictions by
obfuscating the names. Third, if you try to do this, you're putting a
strong pressure on application writers to encrypt or further obfuscate the
protocols so that you can't see the file names at all.
See also http://l7-filter.sourceforge.net/HOWTO#blocking
Depending on the protocol, you may find that you can write a set of
regular expressions that appears to do what you want for some period of
time, but I will not support them, so I would prefer that they not be
discussed on the developers mailing list.
-Matthew
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
L7-filter-developers mailing list
L7-filter-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/l7-filter-developers
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic