Is there a way to do layer 7 filtering in Linux?
The L7-filter project appears to be 15 years old, requires kernel patches with no support for kernels past version 2.6, and most of the pattern files it has appear to have been written in 2003.
Usually when there's a project that is that old, and that popular, there are new projects to replace it, but I can't find anything more recent for Linux that does layer 7 filtering.
Am I not looking in the right places? Was the idea of layer 7 filtering abandoned entirely for some reason? I would think that these days, with more powerful hardware, this would be even more practical than it used to be.
networking firewall netfilter
asked Aug 30 '18 at 20:07
TalTal
6611923
add a comment |
The L7-filter project appears to be 15 years old, requires kernel patches with no support for kernels past version 2.6, and most of the pattern files it has appear to have been written in 2003.
Usually when there's a project that is that old, and that popular, there are new projects to replace it, but I can't find anything more recent for Linux that does layer 7 filtering.
Am I not looking in the right places? Was the idea of layer 7 filtering abandoned entirely for some reason? I would think that these days, with more powerful hardware, this would be even more practical than it used to be.
networking firewall netfilter
asked Aug 30 '18 at 20:07
TalTal
6611923
They are sometimes referred to as Application Firewalls; also see Application firewall. I think you just get an all-in-one nowadays.
– jww
Aug 30 '18 at 21:39
@jww The fact vendors nowadays are mixing a cooking pot of different solutions in their products does lend to confusion. An example of a WAF is modsecurity. It would be overkill to use l7 traffic shapping to protect an apache server against applicational attacks. It would not be so effective also
– Rui F Ribeiro
Aug 31 '18 at 6:20
add a comment |
The L7-filter project appears to be 15 years old, requires kernel patches with no support for kernels past version 2.6, and most of the pattern files it has appear to have been written in 2003.
Usually when there's a project that is that old, and that popular, there are new projects to replace it, but I can't find anything more recent for Linux that does layer 7 filtering.
Am I not looking in the right places? Was the idea of layer 7 filtering abandoned entirely for some reason? I would think that these days, with more powerful hardware, this would be even more practical than it used to be.
networking firewall netfilter
asked Aug 30 '18 at 20:07
TalTal
6611923
The L7-filter project appears to be 15 years old, requires kernel patches with no support for kernels past version 2.6, and most of the pattern files it has appear to have been written in 2003.
Usually when there's a project that is that old, and that popular, there are new projects to replace it, but I can't find anything more recent for Linux that does layer 7 filtering.
Am I not looking in the right places? Was the idea of layer 7 filtering abandoned entirely for some reason? I would think that these days, with more powerful hardware, this would be even more practical than it used to be.
networking firewall netfilter
networking firewall netfilter
asked Aug 30 '18 at 20:07
TalTal
6611923
asked Aug 30 '18 at 20:07
TalTal
6611923
edited Sep 4 '18 at 17:14
Tal
asked Aug 30 '18 at 20:07
TalTal
6611923
asked Aug 30 '18 at 20:07
TalTal
6611923
asked Aug 30 '18 at 20:07
TalTal
6611923
6611923
They are sometimes referred to as Application Firewalls; also see Application firewall. I think you just get an all-in-one nowadays.
– jww
Aug 30 '18 at 21:39
@jww The fact vendors nowadays are mixing a cooking pot of different solutions in their products does lend to confusion. An example of a WAF is modsecurity. It would be overkill to use l7 traffic shapping to protect an apache server against applicational attacks. It would not be so effective also
– Rui F Ribeiro
Aug 31 '18 at 6:20
add a comment |
They are sometimes referred to as Application Firewalls; also see Application firewall. I think you just get an all-in-one nowadays.
– jww
Aug 30 '18 at 21:39
@jww The fact vendors nowadays are mixing a cooking pot of different solutions in their products does lend to confusion. An example of a WAF is modsecurity. It would be overkill to use l7 traffic shapping to protect an apache server against applicational attacks. It would not be so effective also
– Rui F Ribeiro
Aug 31 '18 at 6:20
They are sometimes referred to as Application Firewalls; also see Application firewall. I think you just get an all-in-one nowadays.
– jww
Aug 30 '18 at 21:39
They are sometimes referred to as Application Firewalls; also see Application firewall. I think you just get an all-in-one nowadays.
– jww
Aug 30 '18 at 21:39
@jww The fact vendors nowadays are mixing a cooking pot of different solutions in their products does lend to confusion. An example of a WAF is modsecurity. It would be overkill to use l7 traffic shapping to protect an apache server against applicational attacks. It would not be so effective also
– Rui F Ribeiro
Aug 31 '18 at 6:20
@jww The fact vendors nowadays are mixing a cooking pot of different solutions in their products does lend to confusion. An example of a WAF is modsecurity. It would be overkill to use l7 traffic shapping to protect an apache server against applicational attacks. It would not be so effective also
– Rui F Ribeiro
Aug 31 '18 at 6:20
add a comment |
1 Answer
1
active
oldest
votes
You must be talking of (the former) project Application Layer Packet Classifier for Linux, which was implemented as patches, for the 2.4 and the 2.6 kernels.
The major problem with this project, is that the technology which it proposed to control, quickly outpaced the usefulness and efficacy of the implementation.
The members of the project, also had no time (and money) to further invest in outpacing some advancements of the technology, as far as I remember, and then sold the rights to the implementation, which killed for good an already problematic project.
The challenges this project/technology has faced over the years are, by no particular order:
- adapting the patches to the 3.x/4.x kernel versions;
- scarcity of processing power - in several countries, nowadays the speed of even domestic gigabit broad will demand ASICs to do efficient layer 7 traffic-shapping;
- bittorrent started using heavy obfuscation;
- HTTPS started being used heavily to encapsulate several protocols and/or to avoid detection;
- peer-to-peer protocols stopped using fixed ports, and start trying to get their way by any open/allowed port;
- the rise of ubiquitous voIP and video in real time, that makes traffic very sensitive to even small time delays:
- the widespread use of VPN connections.
Heavy R&D was then invested heavily, into professional traffic shaping products.
The state of the art ten years ago, involved already specific ASICs and (heavy use) of heuristics, for detecting encrypted/obfuscated traffic.
At the present, besides of more than a decade of experience in advanced heuristics, with the advancement of global broadband, traffic-shapping (and firewall) vendors, are also using peer-2-peer sharing in real-time, of global data, to enhance the efficacy of their solutions.
They are combining advanced heuristics, with real time profiling / sharing data from thousands of locations in the world.
It would be very difficult, to put together a open source product, that will work as efficiently as an Allot NetEnforcer.
Using open source solutions, for the purpose of infra-structure bandwidth health, it is not so usual, anymore, trying to traffic shape by the type/nature of traffic that IP address is using at the network level.
Nowadays, for generic traffic control and protecting the bandwidth capacity of the infra-structure, the usual strategy is (besides firewalling), without using advanced traffic shaping hardware, allocating a small part of the bandwidth per IP address.
answered Aug 30 '18 at 20:33
Rui F RibeiroRui F Ribeiro
41.3k1481140
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f465845%2fis-there-a-way-to-do-layer-7-filtering-in-linux%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You must be talking of (the former) project Application Layer Packet Classifier for Linux, which was implemented as patches, for the 2.4 and the 2.6 kernels.
The major problem with this project, is that the technology which it proposed to control, quickly outpaced the usefulness and efficacy of the implementation.
The members of the project, also had no time (and money) to further invest in outpacing some advancements of the technology, as far as I remember, and then sold the rights to the implementation, which killed for good an already problematic project.
The challenges this project/technology has faced over the years are, by no particular order:
- adapting the patches to the 3.x/4.x kernel versions;
- scarcity of processing power - in several countries, nowadays the speed of even domestic gigabit broad will demand ASICs to do efficient layer 7 traffic-shapping;
- bittorrent started using heavy obfuscation;
- HTTPS started being used heavily to encapsulate several protocols and/or to avoid detection;
- peer-to-peer protocols stopped using fixed ports, and start trying to get their way by any open/allowed port;
- the rise of ubiquitous voIP and video in real time, that makes traffic very sensitive to even small time delays:
- the widespread use of VPN connections.
Heavy R&D was then invested heavily, into professional traffic shaping products.
The state of the art ten years ago, involved already specific ASICs and (heavy use) of heuristics, for detecting encrypted/obfuscated traffic.
At the present, besides of more than a decade of experience in advanced heuristics, with the advancement of global broadband, traffic-shapping (and firewall) vendors, are also using peer-2-peer sharing in real-time, of global data, to enhance the efficacy of their solutions.
They are combining advanced heuristics, with real time profiling / sharing data from thousands of locations in the world.
It would be very difficult, to put together a open source product, that will work as efficiently as an Allot NetEnforcer.
Using open source solutions, for the purpose of infra-structure bandwidth health, it is not so usual, anymore, trying to traffic shape by the type/nature of traffic that IP address is using at the network level.
Nowadays, for generic traffic control and protecting the bandwidth capacity of the infra-structure, the usual strategy is (besides firewalling), without using advanced traffic shaping hardware, allocating a small part of the bandwidth per IP address.
answered Aug 30 '18 at 20:33
Rui F RibeiroRui F Ribeiro
41.3k1481140
add a comment |
You must be talking of (the former) project Application Layer Packet Classifier for Linux, which was implemented as patches, for the 2.4 and the 2.6 kernels.
The major problem with this project, is that the technology which it proposed to control, quickly outpaced the usefulness and efficacy of the implementation.
The members of the project, also had no time (and money) to further invest in outpacing some advancements of the technology, as far as I remember, and then sold the rights to the implementation, which killed for good an already problematic project.
The challenges this project/technology has faced over the years are, by no particular order:
- adapting the patches to the 3.x/4.x kernel versions;
- scarcity of processing power - in several countries, nowadays the speed of even domestic gigabit broad will demand ASICs to do efficient layer 7 traffic-shapping;
- bittorrent started using heavy obfuscation;
- HTTPS started being used heavily to encapsulate several protocols and/or to avoid detection;
- peer-to-peer protocols stopped using fixed ports, and start trying to get their way by any open/allowed port;
- the rise of ubiquitous voIP and video in real time, that makes traffic very sensitive to even small time delays:
- the widespread use of VPN connections.
Heavy R&D was then invested heavily, into professional traffic shaping products.
The state of the art ten years ago, involved already specific ASICs and (heavy use) of heuristics, for detecting encrypted/obfuscated traffic.
At the present, besides of more than a decade of experience in advanced heuristics, with the advancement of global broadband, traffic-shapping (and firewall) vendors, are also using peer-2-peer sharing in real-time, of global data, to enhance the efficacy of their solutions.
They are combining advanced heuristics, with real time profiling / sharing data from thousands of locations in the world.
It would be very difficult, to put together a open source product, that will work as efficiently as an Allot NetEnforcer.
Using open source solutions, for the purpose of infra-structure bandwidth health, it is not so usual, anymore, trying to traffic shape by the type/nature of traffic that IP address is using at the network level.
Nowadays, for generic traffic control and protecting the bandwidth capacity of the infra-structure, the usual strategy is (besides firewalling), without using advanced traffic shaping hardware, allocating a small part of the bandwidth per IP address.
answered Aug 30 '18 at 20:33
Rui F RibeiroRui F Ribeiro
41.3k1481140
add a comment |
You must be talking of (the former) project Application Layer Packet Classifier for Linux, which was implemented as patches, for the 2.4 and the 2.6 kernels.
The major problem with this project, is that the technology which it proposed to control, quickly outpaced the usefulness and efficacy of the implementation.
The members of the project, also had no time (and money) to further invest in outpacing some advancements of the technology, as far as I remember, and then sold the rights to the implementation, which killed for good an already problematic project.
The challenges this project/technology has faced over the years are, by no particular order:
- adapting the patches to the 3.x/4.x kernel versions;
- scarcity of processing power - in several countries, nowadays the speed of even domestic gigabit broad will demand ASICs to do efficient layer 7 traffic-shapping;
- bittorrent started using heavy obfuscation;
- HTTPS started being used heavily to encapsulate several protocols and/or to avoid detection;
- peer-to-peer protocols stopped using fixed ports, and start trying to get their way by any open/allowed port;
- the rise of ubiquitous voIP and video in real time, that makes traffic very sensitive to even small time delays:
- the widespread use of VPN connections.
Heavy R&D was then invested heavily, into professional traffic shaping products.
The state of the art ten years ago, involved already specific ASICs and (heavy use) of heuristics, for detecting encrypted/obfuscated traffic.
At the present, besides of more than a decade of experience in advanced heuristics, with the advancement of global broadband, traffic-shapping (and firewall) vendors, are also using peer-2-peer sharing in real-time, of global data, to enhance the efficacy of their solutions.
They are combining advanced heuristics, with real time profiling / sharing data from thousands of locations in the world.
It would be very difficult, to put together a open source product, that will work as efficiently as an Allot NetEnforcer.
Using open source solutions, for the purpose of infra-structure bandwidth health, it is not so usual, anymore, trying to traffic shape by the type/nature of traffic that IP address is using at the network level.
Nowadays, for generic traffic control and protecting the bandwidth capacity of the infra-structure, the usual strategy is (besides firewalling), without using advanced traffic shaping hardware, allocating a small part of the bandwidth per IP address.
answered Aug 30 '18 at 20:33
Rui F RibeiroRui F Ribeiro
41.3k1481140
You must be talking of (the former) project Application Layer Packet Classifier for Linux, which was implemented as patches, for the 2.4 and the 2.6 kernels.
The major problem with this project, is that the technology which it proposed to control, quickly outpaced the usefulness and efficacy of the implementation.
The members of the project, also had no time (and money) to further invest in outpacing some advancements of the technology, as far as I remember, and then sold the rights to the implementation, which killed for good an already problematic project.
The challenges this project/technology has faced over the years are, by no particular order:
- adapting the patches to the 3.x/4.x kernel versions;
- scarcity of processing power - in several countries, nowadays the speed of even domestic gigabit broad will demand ASICs to do efficient layer 7 traffic-shapping;
- bittorrent started using heavy obfuscation;
- HTTPS started being used heavily to encapsulate several protocols and/or to avoid detection;
- peer-to-peer protocols stopped using fixed ports, and start trying to get their way by any open/allowed port;
- the rise of ubiquitous voIP and video in real time, that makes traffic very sensitive to even small time delays:
- the widespread use of VPN connections.
Heavy R&D was then invested heavily, into professional traffic shaping products.
The state of the art ten years ago, involved already specific ASICs and (heavy use) of heuristics, for detecting encrypted/obfuscated traffic.
At the present, besides of more than a decade of experience in advanced heuristics, with the advancement of global broadband, traffic-shapping (and firewall) vendors, are also using peer-2-peer sharing in real-time, of global data, to enhance the efficacy of their solutions.
They are combining advanced heuristics, with real time profiling / sharing data from thousands of locations in the world.
It would be very difficult, to put together a open source product, that will work as efficiently as an Allot NetEnforcer.
Using open source solutions, for the purpose of infra-structure bandwidth health, it is not so usual, anymore, trying to traffic shape by the type/nature of traffic that IP address is using at the network level.
Nowadays, for generic traffic control and protecting the bandwidth capacity of the infra-structure, the usual strategy is (besides firewalling), without using advanced traffic shaping hardware, allocating a small part of the bandwidth per IP address.
answered Aug 30 '18 at 20:33
Rui F RibeiroRui F Ribeiro
41.3k1481140
edited 10 hours ago
answered Aug 30 '18 at 20:33
Rui F RibeiroRui F Ribeiro
41.3k1481140
answered Aug 30 '18 at 20:33
Rui F RibeiroRui F Ribeiro
41.3k1481140
answered Aug 30 '18 at 20:33
Rui F RibeiroRui F Ribeiro
41.3k1481140
41.3k1481140
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f465845%2fis-there-a-way-to-do-layer-7-filtering-in-linux%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
They are sometimes referred to as Application Firewalls; also see Application firewall. I think you just get an all-in-one nowadays.
– jww
Aug 30 '18 at 21:39
@jww The fact vendors nowadays are mixing a cooking pot of different solutions in their products does lend to confusion. An example of a WAF is modsecurity. It would be overkill to use l7 traffic shapping to protect an apache server against applicational attacks. It would not be so effective also
– Rui F Ribeiro
Aug 31 '18 at 6:20