Is there any package or feature that implements a Layer 7 (Application) capable firewall on Openwrt? I'm asking this because I need to monitoring (and block in some cases) which application has been used on my network. After some research I found a package (l7-protocols) but had so many troubles that it was removed from Openwrt. Anyone knows if actually there is some feature to help me with this task?
Best Regards.
There are the famous snort and snort3 packages as intrusion detection system, but they are hard to maintain and probably a bit overkill on low powered router devices.
Probably this could be interesting for you (haven't tested this yet):
also be aware that most applications nowadays use https (tcp/443) to talk to a cdn (cloudflare/akamai...).
i.e. encrypted traffic on the same port and same destination.
expect limited visibility.
Thank you @juppin for the clue. I'll give it a try. The solution I'm working with isn't a domestic router. Actually I'm using a PC Engines Apu3 board, which has enough process power to do some tasks. I also was thinking about use snort, as I have to configure it for intrusion detection too, but It's a way hard to maintain, as you said. I'm looking to a more straightforward solution.
@fuller, thank you for your advise. I'm aware about the limitations and difficulties about this question, but it's a requirement that I must fulfill, even with these limitations. I haven't much option on that. So I will give it a try and update here if it's doable with the netifyd.
So, hands on work.
Even with a board like the Apu3, snort chews cpu resources. I have an 8-core Intel C3758 processor and snort uses a high percentage of a single core core at gigabit speeds, even with a relatively small subset of rules.
These packet inspection packages generate large amounts of soft irqs due to the packet capture, and with the hardware interrupts from the interfaces, you'll definitely want to do some tuning to optimize the performance as it's not even closed to optimized by default.
I've got a couple of packages that capture packets (snort, softflowd) and I start by setting their cpu affinity to different cores to spread the load around.
Then you'll want to optimize that board's network interface irq's as well. I see it has Intel i211AT Gbe.interfaces. You should set the smp_affinity for the rx and tx irq's for a given interface to different cpu cores, which will reduce the number of interrupts per core (they tend to cluster on core 0 if you don't do this). (see this for useful info)
It would likely be better to use Intel's out of tree igb drivers as they're more advanced than the upstream drivers. As far as I recall these interfaces supports Intel Flow Director, which is hardware offloaded receive flow steering. I have a package Makefile for the out of tree igb drivers if you're interested in using them...
@dl12345, Thank you for your advise. I do know that it is something I have to consider when working with snort in a limited hardware as a APU3. Although my setup is design to handle only 4G connection up to 100 Mb or even less than that. Actually I'm working with 20~30 Mbps connections, so For this low traffic might be enough what I have right now, but it's something I will consider for sure.
Ah yeah, you should definitely be ok at that speed. It's once you hit gigabit speeds that it becomes and issue
Just to keep an update. After some tests, and a lot of work, I couldn't trust only in netifyd for application detection. It works, at some level, but for sure there are many work to do about netfyd. So, let's take some considerations:
There's no support for their firewall utility, thus if you need to take any action from the netifyd, it must be implemented by a third script/software. This issue itself doesn't botters me at all, because I'm a developer, so It's something I can do. But if it doesn't your case, it will not work.
The detection itself aren't that much trustful, sometimes it takes so long to identify a connection from an appliance, and it for sure can't detect all conections from youtube, whatsapp, facebook and some of the most popular apps.
It lack's in documentation. I had a hard time to make it run for the first time as a socket. Part of that was because of the output format that wasn't clear how it should be.
So, after that, I gave up about implement my Layer 7 firewall application using only the netifyd. For this purpose, the openappid + snort, did a much more reliable detection. About the snort itself, to prevent it from consuming all processing power and a huge amount of memory, my solution was to implement it in IDS mode, and write some scripts to configure firewall rules from the alert output. It isn't perfect too, and can't detect all traffic from some applications too, like youtube ( it's really annoying trying to block youtube). Maybe writing some more rules for the openappid itself can help to improve the results.
So far, it isn't that simple to track app connections. Maybe I'm lacking in knowledge to do it, but for now it's my solution architecture:
The Image descriptions are in Portuguese, but basically, on top I wrote an application to configure snort and netify to watch the network traffic, this application then read netify and snort notifications and writes iptables and QoS rules to block/control/monitoring application's traffic.
So far so good, it isn't perfect, but works well enough for my needs.
Suggestions are welcome too!
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
