Layer 7 netfilter issue

This topic contains 0 replies, has 0 voices, and was last updated by  ace 4 years, 10 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #43774

    ace
    Member

    Hi all,
    I have a ZS installed (release 2.0.RC3 ) and configured as a router/nat box.
    After setting up ip net, dhcp and nat, hosst in the ‘internal’ network can connect outside using the single public ip address of the ‘outside’ interface.
    I can surf internet, make dns queries, download files via ftp, etc.

    After this basic starup i then start configuring firewall rules on the FORWARD chain.
    I start with the classic layer3/4 rules to permit internal hosts to connect outside and all works.

    Finally i try using layer7 protocol identification. I put all the layer7 rules at top of forward chain, without other restricting rules (as tcp/udp protocol or ports), but no traffic were identified. I try with well known protocols like http, dns, imap, ftp, but ‘l7proto’ were ever mached.

    Here is iptables list of FORWARD chain:

    Chain FORWARD (policy DROP 9 packets, 468 bytes)
    pkts bytes target prot opt in out source destination
    0 0 layer7 all — any any anywhere anywhere LAYER7 l7proto http
    0 0 layer7 all — any any anywhere anywhere LAYER7 l7proto dns
    0 0 layer7 all — any any anywhere anywhere LAYER7 l7proto flash
    0 0 layer7 all — any any anywhere anywhere LAYER7 l7proto ftp
    0 0 layer7 all — any any anywhere anywhere LAYER7 l7proto html
    0 0 layer7 all — any any anywhere anywhere LAYER7 l7proto imap
    0 0 layer7 all — any any anywhere anywhere LAYER7 l7proto ntp
    0 0 layer7 all — any any anywhere anywhere LAYER7 l7proto ssh
    0 0 layer7 all — any any anywhere anywhere LAYER7 l7proto whois
    4938 4006K ACCEPT all — any any anywhere anywhere state RELATED,ESTABLISHED
    452 28974 ACCEPT all — ETH02 ETH00 anywhere anywhere state NEW

    As you can see pkts/bytes count are 0 for all l7proto lines..

    Any hint or ideas of what is wrong here?

    Thanks

    #52996

    maccowley
    Member

    I have the same problem for QOS in bridge and router mode. The level 7 filters seem not to work. I think this is a bug which exist since version 2.0.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.