[Shorewall-devel] ipp2p problems

Tom Eastep teastep at shorewall.net
Mon May 30 08:01:12 PDT 2005


Jaime Nebrera wrote:

> 
>   What my teammate is doing is applying this rule before any shorewall
> rules. That way he detects those P2P orders and drops the package.
> 
>>  I want to improve this part of shorewall but I dont know where to
>>locate the ipp2p rule or what kind of strategy to follow.
> 
>   The problem is, it might be hard to place p2p rule before conntrack
> rule in a flexible manner as the admin states it wants to filter P2P as
> a rule, not as a zone property. The possibility we are studying is
> placing it before every conntrack rule on each zone chain (applies to
> all chains), make it more flexible (define P2P filtering as a zone
> property) or make it full system (place the rule just after invalid
> verification right at the beginning).
> 
>   The easier the implementation the harder it would be on CPU resources
> as you will need to look at more traffic.
> 

There are a number of issues here.

a) Dropping/rejecting packets once a connection is established is open
to DOS attack. We have discussed this before on the lists and it has
been widely discussed on the Netfilter list. There is a reason why ipp2p
and layer7 will never find their way into the code base at kernel.org.

b) Shorewall is designed to be a stateful firewall. What you are
proposing is stateless filtering. Hence, what you want to do will not
fit into the overall Shorewall architecture (translation: it will be a
hack).

c) I have been aware of this problem for some time. Had I stayed on, I
planned to *remove* ipp2p support from the rules and action.template
files and only support it for traffic shaping and accounting.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


More information about the Shorewall-devel mailing list