Layer 7 filtering
Ovidiu Lixandru
ovidiu at linux360.ro
Wed Jun 29 18:09:28 UTC 2005
Hello.
I've got a RedHat Linux 9 router which provides net for a LAN via DNAT.
On this machine I plan to use layer 7 filtering in order to get rid of
some unwanted instant messaging and p2p protocols for some of the
internal IP's. So far, I've found l7-filter which seems to provide what
I need.
I've rebuilt the iptables-1.2.9-2.3.1 srpm including the l7-filter patch
and it worked nicely.
The ugly part comes with the kernel (2.4.20-8). I've deployed the srpm
and modified the spec to include the l7-filter patch. However, when it
comes to rebuilding the rpm (rpmbuild -bb --clean --target i686
kernel-2.4.spec), I get:
Connection state match support (CONFIG_IP_NF_MATCH_STATE) [M/n/?]
Connection tracking match support (CONFIG_IP_NF_MATCH_CONNTRACK) [M/n/?]
Unclean match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_UNCLEAN) [M/n/?]
Owner match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_OWNER) [M/n/?]
Layer 7 match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_LAYER7)
[N/m/?] (NEW) Buffer size for application layer data (256-65536)
(CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN) [2048] (NEW)
CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN:
Size of the buffer that the application layer data is stored in.
Unless you know what you're doing, leave it at the default of 2048
Bytes.
Buffer size for application layer data (256-65536)
(CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN) [2048] (NEW)
CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN:
...and the message keeps repeating.
At this point, I'm pondering whether to switch to a recent RHEL 2.6
kernel and try patching that or get some other layer 7 filtering
software which may work nicely with the RH 2.4.20 kernel (is there any
other?).
Any ideas and suggestions are welcome.
Thanks.
--
Ovidiu Lixandru
linux360
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5653 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050629/93709030/attachment-0001.bin>
More information about the fedora-list
mailing list