[Shorewall-devel] ipp2p problems
teastep at shorewall.net
Mon May 30 08:01:12 PDT 2005
Jaime Nebrera wrote:
> What my teammate is doing is applying this rule before any shorewall
> rules. That way he detects those P2P orders and drops the package.
>> I want to improve this part of shorewall but I dont know where to
>>locate the ipp2p rule or what kind of strategy to follow.
> The problem is, it might be hard to place p2p rule before conntrack
> rule in a flexible manner as the admin states it wants to filter P2P as
> a rule, not as a zone property. The possibility we are studying is
> placing it before every conntrack rule on each zone chain (applies to
> all chains), make it more flexible (define P2P filtering as a zone
> property) or make it full system (place the rule just after invalid
> verification right at the beginning).
> The easier the implementation the harder it would be on CPU resources
> as you will need to look at more traffic.
There are a number of issues here.
a) Dropping/rejecting packets once a connection is established is open
to DOS attack. We have discussed this before on the lists and it has
been widely discussed on the Netfilter list. There is a reason why ipp2p
and layer7 will never find their way into the code base at kernel.org.
b) Shorewall is designed to be a stateful firewall. What you are
proposing is stateless filtering. Hence, what you want to do will not
fit into the overall Shorewall architecture (translation: it will be a
c) I have been aware of this problem for some time. Had I stayed on, I
planned to *remove* ipp2p support from the rules and action.template
files and only support it for traffic shaping and accounting.
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
More information about the Shorewall-devel