Layer 7 filtering

Ovidiu Lixandru ovidiu at linux360.ro
Wed Jun 29 18:09:28 UTC 2005 

Hello.
I've got a RedHat Linux 9 router which provides net for a LAN via DNAT. 
  On this machine I plan to use layer 7 filtering in order to get rid of 
some unwanted instant messaging and p2p protocols for some of the 
internal IP's. So far, I've found l7-filter which seems to provide what 
I need.
I've rebuilt the iptables-1.2.9-2.3.1 srpm including the l7-filter patch 
and it worked nicely.
The ugly part comes with the kernel (2.4.20-8). I've deployed the srpm 
and modified the spec to include the l7-filter patch. However, when it 
comes to rebuilding the rpm (rpmbuild -bb --clean --target i686 
kernel-2.4.spec), I get:

   Connection state match support (CONFIG_IP_NF_MATCH_STATE) [M/n/?]
   Connection tracking match support (CONFIG_IP_NF_MATCH_CONNTRACK) [M/n/?]
   Unclean match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_UNCLEAN) [M/n/?]
   Owner match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_OWNER) [M/n/?]
   Layer 7 match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_LAYER7) 
[N/m/?] (NEW)   Buffer size for application layer data (256-65536) 
(CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN) [2048] (NEW)
CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN:

    Size of the buffer that the application layer data is stored in.
    Unless you know what you're doing, leave it at the default of 2048
    Bytes.
   Buffer size for application layer data (256-65536) 
(CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN) [2048] (NEW)
CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN:

...and the message keeps repeating.
At this point, I'm pondering whether to switch to a recent RHEL 2.6 
kernel and try patching that or get some other layer 7 filtering 
software which may work nicely with the RH 2.4.20 kernel (is there any 
other?).
Any ideas and suggestions are welcome.
Thanks.

-- 
Ovidiu Lixandru
linux360
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5653 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050629/93709030/attachment-0001.bin>

More information about the fedora-list mailing list