Comments (10)
I think the problem is when we drop all the packet by default and then try to accept some specific protocols, literally, iptables
drop all SYN
packet. What I mean is this iptables
does not allow any connection to be established. Therefore, it drops those specific protocols as well.
Am I right? is there any solution to solve this problem?
from ndpi-netfilter.
It seems someone has been reported this before #22
But I don't wanna use TrafficController or something else like that. How can I solve this problem? Any idea?
from ndpi-netfilter.
from ndpi-netfilter.
@rightkick
Actually in this scenario order does not matter, I've tested, the guy in issue #22 had also tested that too.
from ndpi-netfilter.
from ndpi-netfilter.
@GreatBahram if you want skype to be allowed and all others to be disallowed you should start by making sure that you distinguish between tcp and udp connections and streams.
On a tcp connection it would not do any harm to allow the first 3 way handshake.
Once you get the rules to let you this work then you would be able to try and maybe make some list of conditional rules that will eventually allow skype and couple other necessary services like Microsoft.
The order of the rules is crucial and also the direction of it...
A DROP policy at #22 is not smart in any way possible and I believe you should not take an example from it.
There specific very basic services that you must allow for the setup to work....
Drop here a snapshot of iptables-save
and we might be able to try and help you to move one step forward towards a basic solution.
Also notice that allowing all ESTABLISHED,RELATED connections is nice but doesn't fit for all scenarios of nDPI.
I can point out that nDPI rules probably will apply on the first 16kB of the connection and later on it's history so this might be a shortcut when specific connections should not be inspected more then they needed to be.
It's crucial you will try to see and understand what the Skype nDPI module inspects in a connection to identify it as a SKYPE one.
If you do not understand these basics you might waste lots of hours.
from ndpi-netfilter.
@elico
Thanks for your explanation. I understand what you're saying. But the problem is Skype is just an example, I don't wanna do a lot these work by creating bunch of iptables
rules. About #22 I agree with you it can't be useful.
I'm searching for something to negate ndpi-netfilter
rules with the lowest legwork. I want to specify some protocols and application, they can't different protocol and application. Then ndpi-netfilter
allows these items and about the unknown ones just DROP them.
from ndpi-netfilter.
@GreatBahram a resolution or a solution to your need\desire will depend on the resources and the purpose.
ndpi-netfilter
is a very "generic" solution which is an add-on to a very targeted solution.
iptables is a firewall and the kernel is giving developers the access to resources which they normally need such as enhanced stdin/out/err and/or running and creating tools.
There are solutions out there in the market for your requirement but these are all either a full fledged proxy solution that run's mainly on CPU or a specially crafted kernel which also... uses mainly CPU.
Indeed ndpi-netfilter
provides some of a full proxy features which for some deployments is enough.
From what I have seen there are couple very good products in the market which provides a better ACL logic then what raw iptables offers.
Any busy IT business that I know uses products from:
- Forti(Net\Gate)
- Palo Alto
- Huawei
and couple other vendors which some are local and some are global.
The main issue with netfilter/iptables/ipchains logic is that the ACL is "first HIT" while in real applications the connection/stream is dynamic and a generic solution can never replace that.
This is one of the reasons many security products vendors requires from the client to acquire "extra support" or what ever name they give a subscription.
Any dynamic product require updates and development since the world is moving forward.
Couple years ago HTTP/1.1 was the cutting edge of web development while even at the time you could have seen a connection that looks like HTTP/1.X works like HTTP/X but once you push the connection into a device that only able to handle HTTP/X the connection was categorized as "UNKNOWN".
The basic rule of thumb is that "a proxy should be able to absorb enough details for a verdict".
I have tried in the past to configure Suricata but I have better things to do with my free time then trying to understand some twisted minds.
from ndpi-netfilter.
@elico
Thank you dude a lot. You have clarified my doubts. The last thing I want to know is that have you ever worked with OpenAppID
? I think in this case, maybe it's a better choice, isn't it? I have also noticed pfSense uses that with their firewall. I think maybe that's a better choice.
from ndpi-netfilter.
@GreatBahram Depends on the system.
To some OpenAppID is good and other don't due to licensing and other things.
If you are managing to use Snort with OpenAppID I think it is good for the 1Gbit network and below while above needs testing.
from ndpi-netfilter.
Related Issues (20)
- Bandwidth Control on Microsoft Edge for Youtube
- Kernel Panic when you have high traffic volume. HOT 5
- Kernel Panic in high traffic volume.
- stdio.h: No such file or directory
- nf_ct_is_untracked HOT 6
- Potential access to invalid nf_conn memory HOT 1
- Compatible with nDPI 2.4 ? HOT 2
- Problem with Ubuntu 18 HOT 6
- Cannot copy libxt_ndpi.so to /lib/xtables/ and gives an error "cp: cannot create regular file '/lib/xtables/': Not a directory" HOT 8
- Alpine Linux HOT 1
- Unable to install ndpi in debian 8 as well as no iptables rules are applied, giving an error such as iptables: No chain/target/match by that name. HOT 3
- Unknown Symbol when trying to insert the module HOT 1
- error running this cmnd sudo NDPI_PATH=/usr/src/ndpi-netfilter-master/nDPI make HOT 6
- ndpi-netfilter
- can not install the nDPI module for the given Linux kernel HOT 1
- Feature request: support nftables
- Drop a protocol/application for a specific mac address
- Facebook, Youtube and other protocols are not always detected
- not work on bridge
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ndpi-netfilter.