Hi all!
I try to mark traffic by type with magle and sort its by priority later, but its works very bad, only one half of p2p traffic marks normally, almost all other traffic marks like OTHER.
here is my firewall export
That doesn’t really help, either. If you work really, really hard you can maybe - that’s a big maybe - discover all the P2P traffic on your network. At a huge price of resources (CPU and RAM), and only until the next protocol comes out.
Trying to mark all P2P to give it low priority is equivalent to blacklisting in firewalls. You’re always chasing. Blacklisting is a losing proposition. Whitelisting is the way to go. Prioritize the protocols that are important. They don’t change - HTTP, POP3, SIP. Easy to spot. Prioritize them over everything else.
It is not just a technical problem and decision, it comes pretty close to a philosophical one. Whitelisting has been proven over blacklisting time and time and time again.
Well whitelisting,
then i need to know how to mark VOIP(Skype), online radio, http and http dowloading, mail, games etc., but my mangle script don’t mark nothing except for one half of p2p traffic. Where is mistake? can you help me?
I never suggested blacklisting was the answer, nor is philosophy.
[I think the glass is neither half empty nor half full. You can’t measure that precisely]
If a network has serious traffic issues, all tools must be considered.
Prioritize the protocols that are important. They don’t change - HTTP, POP3, SIP. Easy to spot. Prioritize them over everything else.
YES! I agree. But…how does one prioritize protocols without determining the protocol?
Using the “well defined” port is a trap.
I haven’t seen p2p on port 110 (yet), but certainly on port 80 and growing.
110 & 143 OK.
SIP? Hmm. Which port has the rtp stream? (I find the MT sip helper doesn’t work)
It is sometimes not so easy to spot.
L7 can (and probably should) be used for whitelisting as well as blacklisting.
Both are chasing, as it is far too easy to use the well known ports, especially tcp 80 for any traffic.
Besides, if your cpu and memory can’t handle it, you need a bigger box, go to http://www.routerboard.com
Fair enough, I misinterpreted. Finding well known protocols via L7 is a much nicer proposition than finding all P2P. Once you have an L7 matcher for HTTP you’ll be good for a long time.
In the post I left above is a wiki article with some examples.
Also in that wiki are links (at the top) to where you can find the L7 regex expressions and a MT script that imports these into the firewall.
I don’t know if the script is kept up to date - I doubt it. But it is easy enough to make a PHP page to build the script dynamically.
This should be more than enough to get you started.
If you want to experiment, I would start by running the script and add a mangle rule to mark L7 http connections so you can see the connection mark in the Firewall connections. Then as you browse, your connection marks should show up.
Get that working then add more L7 mangle expressions.
If the script is outdated, you can always delete the entries.
All…
In my network it catchs maybe 10% of P2P. Maybe whitelisting is better, but both are chasing. I’m using some combination both of them. Ex “Other” - priority 4; Important services prio 1,2; P2P and HTTP downloading prio 8.
i think mark all necessary type of traffic with l7 rules its not so good for cpu and memory usage, why i cant mark all traffic on port 110 or another?? pls help me do it.
p.s. my PC have 100mb ram and 366mhz cpu on board, internet speed 8mbit
