› Forums › Network Management › Firewall, Traffic Shaping and Net Balancer › Layer 7 netfilter issue
- This topic is empty.
-
AuthorPosts
-
November 6, 2013 at 12:35 pm #43774
ace
MemberHi all,
I have a ZS installed (release 2.0.RC3 ) and configured as a router/nat box.
After setting up ip net, dhcp and nat, hosst in the ‘internal’ network can connect outside using the single public ip address of the ‘outside’ interface.
I can surf internet, make dns queries, download files via ftp, etc.After this basic starup i then start configuring firewall rules on the FORWARD chain.
I start with the classic layer3/4 rules to permit internal hosts to connect outside and all works.Finally i try using layer7 protocol identification. I put all the layer7 rules at top of forward chain, without other restricting rules (as tcp/udp protocol or ports), but no traffic were identified. I try with well known protocols like http, dns, imap, ftp, but ‘l7proto’ were ever mached.
Here is iptables list of FORWARD chain:
Chain FORWARD (policy DROP 9 packets, 468 bytes)
pkts bytes target prot opt in out source destination
0 0 layer7 all — any any anywhere anywhere LAYER7 l7proto http
0 0 layer7 all — any any anywhere anywhere LAYER7 l7proto dns
0 0 layer7 all — any any anywhere anywhere LAYER7 l7proto flash
0 0 layer7 all — any any anywhere anywhere LAYER7 l7proto ftp
0 0 layer7 all — any any anywhere anywhere LAYER7 l7proto html
0 0 layer7 all — any any anywhere anywhere LAYER7 l7proto imap
0 0 layer7 all — any any anywhere anywhere LAYER7 l7proto ntp
0 0 layer7 all — any any anywhere anywhere LAYER7 l7proto ssh
0 0 layer7 all — any any anywhere anywhere LAYER7 l7proto whois
4938 4006K ACCEPT all — any any anywhere anywhere state RELATED,ESTABLISHED
452 28974 ACCEPT all — ETH02 ETH00 anywhere anywhere state NEWAs you can see pkts/bytes count are 0 for all l7proto lines..
Any hint or ideas of what is wrong here?
Thanks
February 17, 2014 at 12:45 pm #52996maccowley
MemberI have the same problem for QOS in bridge and router mode. The level 7 filters seem not to work. I think this is a bug which exist since version 2.0.
-
AuthorPosts
- You must be logged in to reply to this topic.