[afnog] content filter/firewall/bandwidth manager
Mihamina Rakotomandimby
mihamina at rktmb.org
Sat Jul 30 17:28:27 UTC 2011
> On Sat, 2011-07-30 at 06:59 -0700, Righa Shake wrote:
> Hi,
> Anyone knowing an opensource application that can do the following:
> block downloads based on usernames
What username:
- windows/linux username?
- HTTP username?
- Proxy username? (authenticated proxy)
> , ip
> address, protocals(esp bit-torrents, peer to peer), and time control
> etc., web filters, etc
I use to use:
- Linux +
-- (iptables -> squid+dans-guardian) for web filtering and throttling
-- (iptables [...] -j classify + tc) for bandwidth management
I had the project to have a look at "nuFW" http://www.nufw.org/ but
everyone whre happy with the current solution for the moment, so...
1°) iptables l7 is known to be not as reliable as that, for protocol
detection. Too many false positive. Open
2°) For high volumes (4000 IP addresses to limit), using "tc filter" on
a common x86_64 is heavily using ressources. We switched to "iptables -j
classify + tc class" limiting.
3°) I never tried on other system than Linux (no xxxBSD nor openSolaris)
4°) openDPI is usable with iptables:
http://www.google.com/search?q=modprobe+xt_opendpi+iptables
I've not tested, seems to be promising.
More information about the afnog
mailing list