Re: Snort p2p.rules / pf TAG

[Sven Beukenex <debeuk@gmail.com>]

On Sat, 8 Jan 2005 13:20:28 -0500, Greg Wooledge <greg@wooledge.org> wrote:
> kobaz@looz.mip.pl (kobaz@looz.mip.pl) wrote:
> 
> > It's possible to *sign* somehow p2p traffic by snort and then traffic shape
> > this*signed* packets by pf/altq ? I mean can snort put some tag and pf/altq
> > will understand this tag?
> 
> Man, if someone figures out how to get this sort of thing working,
> *please* tell me.
> 
> Right now, I'm trying to figure out how to get a Linux box running Freenet
> to route packets sent by the "freenet" user's UID out through a different
> gateway, with a different source address, so that PF on the OpenBSD box
> can classify them by virtue of their source address.  So far, it's not
> working.  But that's a Linux/iptables issue, off topic here.
> 
> (Since Freenet's all encrypted, and outgoing connections use arbitrary
> ports, there's absolutely no way to classify it on the firewall by
> packet inspection.)
> 
> I also thought about using the various TOS/DSCP bits in the packet header
> to mark them on the way out, but I couldn't see any references to DSCP in
> pf.conf(5), so that doesn't look promising either.
> 
> --
> Greg Wooledge                  |   "Truth belongs to everybody."
> greg@wooledge.org              |    - The Red Hot Chili Peppers
> http://wooledge.org/~greg/     |
> 
> [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
> 
> 

You could create an alias with ifconfig and bind the p2p/freenet apps
to that ip, and then tag all packets coming from that ip on the
firewall. This only works ofcourse if you can do this on all the hosts
behind the firewall.
I've had success in doing this with bittorrent apps, don't know about freenet
(but http://dodo.freenetproject.org/pipermail/support/2004-October/003483.html
tells me it has an ipAddress setting in the configfile).

HTH
/Sven
-- 

Why are the pretty ones always insane?
-- J.G. Thirlwell