[Shorewall-devel] ipp2p problems

Paul Gear paul at gear.dyndns.org
Tue May 31 03:53:11 PDT 2005


Jaime Nebrera wrote:
> ...
>>a) Dropping/rejecting packets once a connection is established is open
>>to DOS attack. We have discussed this before on the lists and it has
>>been widely discussed on the Netfilter list. There is a reason why ipp2p
>>and layer7 will never find their way into the code base at kernel.org.
> 
>   Ok, but then how do we plan on filtering those apps? This is a demand
> users have. I understand it wont go into the kernel, but at the same
> time, P2P can be considered a DOS attack by itself :)

When you're talking about something as complex as P2P traffic, it seems
to me that this is best handled by an application layer transparent
proxy, similar to the way squid transparent proxying is handled currently.

>>b) Shorewall is designed to be a stateful firewall. What you are
>>proposing is stateless filtering. Hence, what you want to do will not
>>fit into the overall Shorewall architecture (translation: it will be a
>>hack).
> 
> 
>   IMHO, I dont agree here. Most people will filter detected P2P apps to
> a DROP, so no problems with state. You can consider is not state but
> still is secure. The problem might arise if it was an ACCEPT, then you
> could see malformed packages trying to exploit this. The solution of
> marking the packages (connections) is also valid, but as you say only
> for QoS and such. Most people will just want to get rid of them.

(I plead complete ignorance when it comes to file sharing applications.)
 Fill me in here: do these P2P apps do something tricky like changing
server ports in order to avoid detection?  Surely they have to start
somewhere and you can just block them there and forget about them...
Anything trickier than blocking should be handled in a proxy or traffic
shaper, and just blocking we should be able to handle without special
modules, right?

> ...
> So to other guys, how do we plan on l7 capabilities for linux
> firewalls with shorewall?

I've just read the web pages of both ipp2p and layer7, and although they
don't sound terribly interesting to me, i must admit they would likely
be useful to places like universities.

Is it possible to provide generic support for netfilter extension
modules through some standardised syntax, or perhaps a "shorewall
plugin" mechanism which would call appropriate functions at given points?

-- 
Paul
<http://paulgear.webhop.net>
--
Tired of paying for Microsoft Office?  Running an illegal copy and want
to make it legal?  Try OpenOffice.org!  It's free and does most of the
things Microsoft Office does.  <http://www.openoffice.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20050531/74a629cc/signature.bin


More information about the Shorewall-devel mailing list