On Fri, May 09, 2008 at 12:23:47PM +0530, Srikant Tangirala wrote:

quoted text
> Thanks for such a prompt reply.

>

> I will not use Linux even if you pay me. It has been OpenBSD

> for me for past three years and it will remain so as long as

> OpenBSD remains what it stands for.

> 

heh, i like your answer ;)
> That aside, see, I have used this tool called ourmon successfully

quoted text
> on OpenBSD to detect P2P traffic and block the users in

> conjunction with authpf and pf. The tool can do other detections

> as well. It matches packets/traffic-patterns with those observed

> by network admins as being related to a specific type of application

> protocol. Payload is not inspected, although a grep may be

> happening. It works by passively monitoring the packets flowing

> by, no kernel stuff involved.

> 

we're working on interfaces to speed up the application layer

relaying, the current way requires to rdr the traffic into userspace,

do a nat lookup on the pf socket, and forward the traffic to the

target with a second inspection. this can be done fast, but there is

some overhead. this may improve in the future when we have the ability

to migrate the relayed connections to forwarding in the kernel after

looking into the l7 header.
> Just want to know if anyone has come up with a good solution to

quoted text
> this problem. If there is none yet, fine, we continue with what we

> have or even partial solutions will help a bit.

> 

p2p detection is a very difficult but interesting area. but you can

also mitigate the use with other tricks, like delays, special kinds of

traffic shaping, etc.
> Thanks for your time.

quoted text
>

> Srikant Tangirala.

>

> On Fri, May 9, 2008 at 11:55 AM, Reyk Floeter  wrote:

>

> > On Fri, May 09, 2008 at 10:40:18AM +0530, Srikant Tangirala wrote:

> > > for all the common protocols? With my little bit

> > > of knowledge what I figure is that we need some

> > > piece of software(s) which understands each protocol

> > > thoroughly, can look at raw packets in real-time

> > > and detect the protocol being used. Even then,

> >

> > ah, i'm just looking at your mail again - you a are kidding, there is

> > no way to do content inspection in "real-time". go and use linux where

> > you can use stupid and dangerous stuff in the kernel. this is not what

> > openbsd is about.

> >

> > reyk