Hello. I've got a RedHat Linux 9 router which provides net for a LAN via DNAT. On this machine I plan to use layer 7 filtering in order to get rid of some unwanted instant messaging and p2p protocols for some of the internal IP's. So far, I've found l7-filter which seems to provide what I need. I've rebuilt the iptables-1.2.9-2.3.1 srpm including the l7-filter patch and it worked nicely. The ugly part comes with the kernel (2.4.20-8). I've deployed the srpm and modified the spec to include the l7-filter patch. However, when it comes to rebuilding the rpm (rpmbuild -bb --clean --target i686 kernel-2.4.spec), I get:
Connection state match support (CONFIG_IP_NF_MATCH_STATE) [M/n/?] Connection tracking match support (CONFIG_IP_NF_MATCH_CONNTRACK) [M/n/?] Unclean match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_UNCLEAN) [M/n/?] Owner match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_OWNER) [M/n/?] Layer 7 match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_LAYER7) [N/m/?] (NEW) Buffer size for application layer data (256-65536) (CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN) [2048] (NEW) CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN:
Size of the buffer that the application layer data is stored in. Unless you know what you're doing, leave it at the default of 2048 Bytes. Buffer size for application layer data (256-65536) (CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN) [2048] (NEW) CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN:
...and the message keeps repeating. At this point, I'm pondering whether to switch to a recent RHEL 2.6 kernel and try patching that or get some other layer 7 filtering software which may work nicely with the RH 2.4.20 kernel (is there any other?). Any ideas and suggestions are welcome. Thanks.
Am Mi, den 29.06.2005 schrieb Ovidiu Lixandru um 20:09:
I've got a RedHat Linux 9 router which provides net for a LAN via DNAT.
Sorry to say, but this is the wrong auditorium for Red Hat Linux 9 issues.
On this machine I plan to use layer 7 filtering in order to get rid of some unwanted instant messaging and p2p protocols for some of the internal IP's. So far, I've found l7-filter which seems to provide what I need. I've rebuilt the iptables-1.2.9-2.3.1 srpm including the l7-filter patch and it worked nicely. The ugly part comes with the kernel (2.4.20-8). I've deployed the srpm
O man, that old kernel is long. long time obsolete and a no-go for a firewalling router! Have a close look at the Fedora Legacy Project.
At this point, I'm pondering whether to switch to a recent RHEL 2.6 kernel and try patching that or get some other layer 7 filtering software which may work nicely with the RH 2.4.20 kernel (is there any other?).
Migrate to Fedora - then you are right here (or get RHEL or CentOS and use their communication routes).
Alexander
--- Ovidiu Lixandru ovidiu@linux360.ro wrote:
Hello. I've got a RedHat Linux 9 router which provides net for a LAN via DNAT. On this machine I plan to use layer 7 filtering in order to get rid of some unwanted instant messaging and p2p protocols for some of the internal IP's. So far, I've found l7-filter which seems to provide what I need. I've rebuilt the iptables-1.2.9-2.3.1 srpm including the l7-filter patch and it worked nicely. The ugly part comes with the kernel (2.4.20-8). I've deployed the srpm and modified the spec to include the l7-filter patch. However, when it comes to rebuilding the rpm (rpmbuild -bb --clean --target i686 kernel-2.4.spec), I get:
Connection state match support (CONFIG_IP_NF_MATCH_STATE) [M/n/?] Connection tracking match support (CONFIG_IP_NF_MATCH_CONNTRACK) [M/n/?] Unclean match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_UNCLEAN) [M/n/?] Owner match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_OWNER) [M/n/?] Layer 7 match support (EXPERIMENTAL) (CONFIG_IP_NF_MATCH_LAYER7) [N/m/?] (NEW) Buffer size for application layer data (256-65536) (CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN) [2048] (NEW) CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN:
Size of the buffer that the application layerdata is stored in. Unless you know what you're doing, leave it at the default of 2048 Bytes. Buffer size for application layer data (256-65536) (CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN) [2048] (NEW) CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN:
...and the message keeps repeating. At this point, I'm pondering whether to switch to a recent RHEL 2.6 kernel and try patching that or get some other layer 7 filtering software which may work nicely with the RH 2.4.20 kernel (is there any other?). Any ideas and suggestions are welcome. Thanks.
--
Have you considered asking the dudes in the fedora-legacy-list? (Given that RH9 is now in legacy)
---------------------------------------------------------------------- Fedora Core - The power of Open Source Now! Please search the archives and fedoraforum.org as the question is likely to have been asked before.
Catch me at http://members.lycos.co.uk/bubudiu/
Cheers Captain Bubudiu
___________________________________________________________ Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com
Am Mi, den 29.06.2005 schrieb Alexander Dalloz um 20:16:
The ugly part comes with the kernel (2.4.20-8). I've deployed the srpm
O man, that old kernel is long. long time obsolete and a no-go for a firewalling router! Have a close look at the Fedora Legacy Project.
Alexander
Sorry, rereading my reply I feel I was not clear enough. The RH9 kernel 2.4.20-8 has more serious security issues than you have fingers on one hand! It is the kernel version RH9 originally shipped with years ago. Even during the period when Red Hat himself released security update kernels that beast should have been kicked long time ago.
Alexander
Alexander Dalloz wrote:
Am Mi, den 29.06.2005 schrieb Ovidiu Lixandru um 20:09:
<snip>
Sorry to say, but this is the wrong auditorium for Red Hat Linux 9 issues.
I didn't know who else to ask. fedora-legacy-list seems to have another purpose than user problems with projects in Legacy.
O man, that old kernel is long. long time obsolete and a no-go for a firewalling router! Have a close look at the Fedora Legacy Project.
I know, however it serves its purpose and it's a nicely tweaked machine. I don't really want to go upgrading. Besides, old bits of software have their charm. ;)
Migrate to Fedora - then you are right here (or get RHEL or CentOS and use their communication routes).
I've backported some of the packages from FC1 and FC2, but the core is still Shrike. Is this a "if it works, it's high time for an upgrade" trick question? :)
So, does anyone have any pointers for software filtering using 2.4 kernels?
Captain Bubudiu wrote:
Have you considered asking the dudes in the fedora-legacy-list? (Given that RH9 is now in legacy)
Yes, as I said in another reply, fedora-legacy-list seems to have another purpose than user problems with projects in Legacy.
"fedora-list - For users of Fedora Core releases. If you want help with a problem installing or using Fedora Core, this is the list for you."
keyword: users
"fedora-legacy-list - For discussions about the Fedora Legacy Project"
keywords: "discussions about the [...] Project"
I admit, I haven't checked the archives to get an idea about the issues discussed over there.
--- Ovidiu Lixandru ovidiu@linux360.ro wrote:
Captain Bubudiu wrote:
Have you considered asking the dudes in the fedora-legacy-list? (Given that RH9 is now in
legacy)
Yes, as I said in another reply, fedora-legacy-list seems to have another purpose than user problems with projects in Legacy.
"fedora-list - For users of Fedora Core releases. If you want help with a problem installing or using Fedora Core, this is the list for you."
keyword: users
"fedora-legacy-list - For discussions about the Fedora Legacy Project"
keywords: "discussions about the [...] Project"
I admit, I haven't checked the archives to get an idea about the issues discussed over there.
-- Ovidiu Lixandru linux360
The fedora list is for discussion of Fedora Core 3 and 4 (Current supported releases). The Fedora Legacy list is for the discussion of RH7.3, RH9, FC1 and FC2.
In fact as a matter of urgency :- go to
- http://www.fedoralegacy.org/docs/yum-rh9.php where you can get the updates at http://download.fedoralegacy.org/redhat/9/
- If you are using the stock packages from RH9 you are vulnerable unless you use the fedoralegacy.org patches.
---------------------------------------------------------------------- Fedora Core - The power of Open Source Now! Please search the archives and fedoraforum.org as the question is likely to have been asked before.
Catch me at http://members.lycos.co.uk/bubudiu/
Cheers Captain Bubudiu
___________________________________________________________ Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com
Am Mi, den 29.06.2005 schrieb Ovidiu Lixandru um 20:29:
Alexander Dalloz wrote:
Am Mi, den 29.06.2005 schrieb Ovidiu Lixandru um 20:09:
<snip>
Sorry to say, but this is the wrong auditorium for Red Hat Linux 9 issues.
I didn't know who else to ask. fedora-legacy-list seems to have another purpose than user problems with projects in Legacy.
Correct. But with RH9 you fall into the gap.
O man, that old kernel is long. long time obsolete and a no-go for a firewalling router! Have a close look at the Fedora Legacy Project.
I know, however it serves its purpose and it's a nicely tweaked machine. I don't really want to go upgrading. Besides, old bits of software have their charm. ;)
I really hope all the other software is not that badly maintained like the kernel (I don't mean that aggressive - just as a serious warning).
Migrate to Fedora - then you are right here (or get RHEL or CentOS and use their communication routes).
I've backported some of the packages from FC1 and FC2, but the core is still Shrike. Is this a "if it works, it's high time for an upgrade" trick question? :)
It is said with respect to my first sentence in this mail; please see above. You are mostly on your own speaking about end user problems with RH9.
So, does anyone have any pointers for software filtering using 2.4 kernels?
Alexander
Am Mi, den 29.06.2005 schrieb Captain Bubudiu um 20:46:
The fedora list is for discussion of Fedora Core 3 and 4 (Current supported releases). The Fedora Legacy list is for the discussion of RH7.3, RH9, FC1 and FC2.
No, the Fedora Legacy list fedora-legacy-list@redhat.com isn't for end user problem discussions. It is for coordinating and communicating about the FLP itself. Problems with FLP updates are answered there, but anything regarding use of EOL (legacy) Red Hat and Fedora releases or questions about customizing these distribution releases are misplaced there.
Captain Bubudiu
Alexander
On Wed, 2005-06-29 at 21:29 +0300, Ovidiu Lixandru wrote:
I know, however it serves its purpose and it's a nicely tweaked machine. I don't really want to go upgrading. Besides, old bits of software have their charm. ;)
If you don't want to upgrade you need to update at least! There's been a plethora of security fixes to the original RH9 distro.
Get yum for RH9 (see below) and update your system! If you want I'll send you a yum.conf that works well for RH9.
Cheers Steffen.
[yum for RH9: http://download.fedoralegacy.org/redhat/9/legacy-utils/i386/yum-2.0.5-0.9.2....]
On Fri, 2005-07-01 at 17:22 +1000, Steffen Kluge wrote:
On Wed, 2005-06-29 at 21:29 +0300, Ovidiu Lixandru wrote:
I know, however it serves its purpose and it's a nicely tweaked machine. I don't really want to go upgrading. Besides, old bits of software have their charm. ;)
If you don't want to upgrade you need to update at least! There's been a plethora of security fixes to the original RH9 distro.
Get yum for RH9 (see below) and update your system! If you want I'll send you a yum.conf that works well for RH9.
Cheers Steffen.
[yum for RH9: http://download.fedoralegacy.org/redhat/9/legacy-utils/i386/yum-2.0.5-0.9.2....]
For more details see also: http://www.fedoralegacy.org/docs/yum-rh9.php
Paul.