On 01/11/2012 22:03, Andrew Beverley wrote:
On Sun, 2012-10-28 at 16:57 +0200, Eliezer Croitoru wrote:
I have to admit that I only had limited success with l7-filter, although
it no longer appears to be maintained anyway.
What would you want to achieve from a using l7 iptables?
filtering? scheduling?
At the time I was using it to do traffic shaping, to prevent p2p
applications overloading a network with low bandwidth internet
connection. The problem was that it only needed one p2p application to
not be identified for the network to be overloaded. So in the end I took
a rather rudimentary approach and just identified any client making lots
of connections to ports above 1024:
http://www.andybev.com/index.php/Fair_traffic_shaping_an_ADSL_line_for_a_local_network_using_Linux
I think it's safe to assume that at least a determined attacker can
avoid these filters. Ideally you want them reasonably accurate for the
normal situation...
I guess you just invented an "L7 Filter" yourself... It's just as good a
match for certain requirements...!
Let me know if you measure this thing against your problem?
Cheers
Ed W
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
