Application layer classifier for ipfw

Lawrence Stewart lstewart at room52.net
Thu Jul 31 13:45:42 UTC 2008 

Mike Makonnen wrote:
> Lawrence Stewart wrote:
>> Hi Mike,
>>
>> Mike Makonnen wrote:
>>
>> [snip]
>>
>>> sharing applications which were hogging all the bandwidth. I looked 
>>> for  programs that would allow me to shape traffic according to the 
>>> application layer protocol, but couldn't find any for FreeBSD. I 
>>> found a couple: l7-filter and ipp2p, but these are Linux specific. 
>>> So, I decided to write one. The result is ipfw-classifyd :
>>> http://people.freebsd.org/~mtm/ipfw-classifyd.tar.bz2
>>
>> [snip]
>>
>> Unfortunately, I suspect you should have looked a bit harder: Bro 
>> (http://www.bro-ids.org/) or Snort (http://www.snort.org/), both of 
>> which are in the FreeBSD ports tree, would have saved you from 
>> reinventing the wheel.
>>
> I'm not sure they have the exact type of wheel I'm looking for :-). My 
> understanding is that their primary function is Intrusion Detection, not 
> traffic shaping. To use them as traffic shapers would require extra work 
> on the sysadmin's part (scripts and other types of scotch tape). Am I 
> wrong? The ipfw-classifyd daemon, on the other hand, works directly with 
> ipfw(4). I suspect that for traffic shaping using ipfw-classifyd would 
> require a lot less effort than using either of the above solutions. At 
> the very least it's an additional tool in the FreeBSD sysadmin's arsenal.

Yes, the IDS solutions would need to trigger some sort of script to 
implement the shaping once P2P traffic was detected... but I'd argue 
that writing those scripts would be the easy bit. The tricky thing is 
doing all the application layer protocol parsing and identification. 
This is where leveraging one of these IDS solutions makes a lot of 
sense... a classifier is only going to be as good as its training data 
and IDSs are all about good training data.

All of that said, I think what you've done is neat. Perhaps you could 
find a way to hand off the classification decision to something like Bro 
so that you can utilise the existing training data and avoid having to 
maintain that sort of information yourself. Just thinking out loud though :)

> 
> BTW, my motivation for writing this program wasn't because there were no 
> other tools that did this (as I mentioned I had already found Linux 
> tools that would do this), but because I wanted a solution that uses 
> FreeBSD and is BSD licensed :-)

For the record, Bro is BSD licenced.

Cheers,
Lawrence

More information about the freebsd-net mailing list