# Shorewall & Layer7-Support

## Pette

Hey there.

Is there anyone who has shorewall running with layer7-support?

Is there a good howto on this somewhere? I found some howtos for layer7 and some for shorewall, but not one for both.

Any help appreciated.

Greetz, Pette.

----------

## Pette

Has noone really ever made an attempt on this? I would be very interested!

----------

## thepustule

A little more specific example of what you are trying to do would help.

----------

## -Craig-

I guess things like filtering a website that contains a certain word?

Or filtering outgoing HTTPS (HTTP CONNECT) to port 443 that contains something like "SSH-2.0-OpenSSH_4.3" ?

Well, iptables is capable of filtering strings since 2001: http://www.securityfocus.com/infocus/1531

Or check this out: http://l7-filter.sourceforge.net/

----------

## Pette

 *-Craig- wrote:*   

> Or check this out: http://l7-filter.sourceforge.net/

 

Thats exactly what I ment. Sorry I didn't mention it in my first post already...

On http://l7-filter.sourceforge.net/HOWTO#Doing they show an example of Bandwidth-Restriction:

```
iptables -t mangle -A POSTROUTING -m layer7 --l7proto imap -j MARK --set-mark 3
```

then 

```
tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw flowid 1:3
```

Thats kind of what I want to accomplish using shorewall, instead of using iptables and tc directly.

Hope this makes it a little more clear.

Greetz, Pette.

----------

## thepustule

I'd be worried about how much this might slow your network throughput or raise cpu during high traffic

----------

## -Craig-

I'd have a try at least...

----------

## assaf

I used the l7-filter package a while back to do some traffic shaping. It worked okay I guess, until a kernel upgrade broke it. Also in the meantime a newer shorewall version was released that has internal traffic shaping and allows you to write rules for user/group. So I started using that instead (I run file sharing progs under p2p user, so I use that for shaping).

----------

## Pette

 *assaf wrote:*   

> I used the l7-filter package a while back to do some traffic shaping. It worked okay I guess, until a kernel upgrade broke it.

 

Did you use shorewall with the l7-filters? If so, can you tell me how?

----------

## assaf

 *Pette wrote:*   

>  *assaf wrote:*   I used the l7-filter package a while back to do some traffic shaping. It worked okay I guess, until a kernel upgrade broke it. 
> 
> Did you use shorewall with the l7-filters? If so, can you tell me how?

 

Well, not directly. I had a custom script run from shorewall as tcstart. Basically copied it from some iptables how-to.

----------

## Pette

 *assaf wrote:*   

> Well, not directly. I had a custom script run from shorewall as tcstart. Basically copied it from some iptables how-to.

 

Hm, so it seems like its not possible to include l7-filters in shorewall directly at the moment, right? Or does anybody else have an idea how to accomplish this?

----------

