Layer7 on newer 2.0 snapshots

January 7, 2009

Hi all!

Sorry for the lack of news lately, but the holidays got in the middle. First of all, I want to wish all our visitors a stupendous 2009!

Now, regarding pfSense and Layer7, I’m glad to announce that the code is already in the newer 2.0 snapshots. You can find the interface for layer7 rules generation in Firewall->Traffic Shaper. Documentation on how to operate with the layer7 is currently being constructed, and I hope to have it posted soon on the pfSense devWiki.

There are possibly some problems with divert implementation+ipfw-classifyd, so I can not guarantee that it’s going to work right now. But at least, you can have already a look at the work that has been done.

A quick tutorial on how to construct a layer7 container and have it applied to a rule:
(1) Go to Firewall->Traffic Shaper->Layer7
(2) Create a new rule, assigining it a name, setting it to active and defining what to do with the protocols. For example, there are 3 kinds of structures, but Limiter and Queue will only appear if you have already defined any limiter or queue in the other tabs, next to the layer7 one.
(3) After you create the rule, assign it to a pf rule in Firewall->Rules. Create a new LAN rule and assign the Layer7 Container you created previously (it’s almost in the end of the page).
(4) Report back your problems.

I encourage to report your problems and/or sugestions in the pfSense official forum, and I’ll be very thankfull for the help you all can give in testing this implementation!

P.S: We are working on getting the current shaper wizards to also produce layer7 rules. Stays tunned for more info on this.


Layer7 interface finished

December 18, 2008

Well, the work still in progress. Since the last time, we have more development done.

The Layer7 shaper interface is finished. No significant differences were done to the interface since the last post. Now, we can create rules by simple select the protocol, structure and element. The protocol field contains a list of protocols that is builted dynamically from protocols patterns that come default in the pfSense instalation; the structure field allows the user to choose what type of structure will be applied: “action”, “queue” or “limiter”; the behaviour field is dynamically filled accordingly to the structure that was chosen. If the selected structure was “action”, the possible behaviours are only two, “allow” or “block”; if it was “queue”, the possible behaviours are all the altq queues already defined; if it was “limiter”, the possible behaviours are all the dummynet pipes and queues already defined too.

Some errors situations are controlled, such as the case of creating a rule with the same protocol chose more than once.

A new feature that we introduced was the possibility to add new protocol patterns.

Add Pattern functionality

Add Pattern functionality

 There are some patterns that come with a default pfSense installation, but we have the possibility to add more from the interface. It’s a simple gui interface, that uploads a protocol pattern file to the right location, but very useful if we want to upgrade our system with non default layer7 patterns. 🙂

Another option that we introduced was the capability to specify a layer7 rules container when editing the LAN firewall rules. Now, we can also specify to the filter if we want to apply the layer7 rules that we created.

Layer7 Dropbox in Firewall Rules Edit

Layer7 Dropbox in Firewall Rules Edit

Also some error situations are controlled such as the possibility to apply a layer7 rule only to TCP, UDP or TCP/UDP protocols.

The next step is creating a wizard to facilitate the configurations. Some ideas are thought but we still brainstorming. 🙂

The layer7 interface

November 27, 2008

Just a little snapshot of the layer7 tab to tease you 😉


Layer7 Tab in pfSense Shaper

Layer7 Tab in pfSense Shaper

Development is advancing. We are still having some problems with the protocol definition but we hope to sort them out soon.

This is just a place to create what we call layer7 containers. Each container can have multiple protocols with diferent definitions. After you create a container you will be able to assign it to a firewall rule! At least this is the idea. More to come soon 🙂

Implementation so far…

November 20, 2008

We are still doing some tests with ipfw-classifyd and pf. This is not an easy task as we’ve been finding some dificulties along the way.

In the mean time, we are also already working on the code base to integrate the layer 7 capabilities in pfSense. For now, I would say that the core code base is in pretty advanced form already, at least the part responsible for the creation of ipfw-classifyd configuration files. Essentially, this part of the code is responsible for storing what we call “layer 7 rules containers” in the $config array and ultimately generating the ipfw-classifyd config file for each of the “layer 7 rules container”. A rules container works like an alias and, for example, it can take the following shape:

http = action pass
bittorrent = action block
pop3 = dnpipe 1
sip = queue voIP

But as stuff in the ipfw-classifyd is still being tested we are not sure if this is going to be the final version of things. A “layer 7 rules container” also has a divert port automatically assigned to it in the 40000-60000 range. The idea is that someone might assign this container to a rule in the “Firewall -> Rules” section, like you assign, for example, a queue. How is this going to be exposed to the user has not yet been completely decided, but we are working on it.

The graphical interface for the creation of these so called “layer 7 rules container” is already being built. It’s taking us sometime since our html and javascript coding capabilities are a little rusty, but we are already improving our skills 🙂 This is being made in a way such that it will integrate seamlessly with the other shaper tabs.

As said before, we are still deciding on how to integrate thing on firewall_rules_edit.php and However this does not seem to be difficult once we decide the road to take and how to expose this new option.

We expect to post more on the ipfw-classifyd tests we are doing as soon as we finish them.