It is a user-space deep packet inspection tool capable of detecting and blocking of 227 application protocols.
So far there is a lack of open-source DPI tools that allow users to block packets coming from specific application. L7filter is outdated, openappid is slow and works only with Snort, so I created this one.
NdpiNfqFirewall was created specificaly for a custom Linux-based OS with a patched core, therefore currently there are limitations when running on distributions with standard Linux core. Read Limitations for details.
This program is a PoC, so don't expect too much.
- Processing packets from multiple queues (one queue per thread)
- Detection of 227 supported protocols (full list can be found on nDPI web page).
- Labeling connections for which the protocol detection has ended in Linux's connection tracking subsystem.
- Periodic memory cleanup based on time flows have been idle.
- Fully configurable parameters from the command line.
- Printing packet header information and protocol to screen.
- nDPI 2.0 (make sure it's 2.0, NdpiNfqFirewall is incompatible with later versions of nDPI)
- libnetfilter_queue
- libnetfilter_conntrack
- install libnetfilter_queue and libnetfilter_conntrack (for Ubuntu should be possible with
apt-get install) git clone https://github.com/robingoth/nfq_ndpi_firewall.gitcd nfq_ndpi_firewall/lib- download and compile nDPI like described here
cd /path-to-ndpi-nfq-firewall/src/mkdir objmake
You can start with running ./NdpiNfqueueFirewall --help.
Normally you should start with copying connlabel.conf file from this repository into /etc/xtables/.
Then there are two options you have: single-queue and multi-queue.
- Run
./NdpiNfqueueFirewall - In another terminal run
iptables -I FORWARD -m connlabel ! --label NDPI_DETECTION_OVER -j NFQUEUE --queue-num 10. I'm not going to explain how NFQ and CONNTRACK work, but the above command means "enqueue all packets from FORWARD chain that don't have NDPI_DETECTION_OVER label on a connection that they belong to".
- Run
./NdpiNfqueueFirewall -n 4 - In another terminal run
iptables -I FORWARD -m connlabel ! --label NDPI_DETECTION_OVER -j NFQUEUE --queue-balance 10:13
After you have launched the program NdpiNfqFirewall will start labeling connections in connection tracking subsystem of Linux.
For example, you can run iptables -I FORWARD -m connlabel --label FACEBOOK -j DROP in case you want to drop packets coming from facebook web site. You can substitute "FACEBOOK" with any other protocol from your connlabel.conf file.
You can also read a chapter of my thesis for more details.
CONNTRACK supports only 128 unique labels, so for now NdpiNfqFirewall can label only 128 first protocols from nDPI source files.
If you want to increase this number you have to patch your Linux core by changing XT CONNLABEL MAXBIT value in include/uapi/linux/netfilter/xt_connlabel.h file to a higher one.
- Automated tests.
- Recover NFQ socket connection in case it fails.
- Bind to custom queues. Now queues start from 10 and end with 10+n-1 where n is number of queues
- Possibility to choose a subset of protocols to be labeled. Instead of 128 first protocols from ndpi sources user should be able to choose any 128 protocols form the list.
Did you like it? Drop me an email (vlad.cherednychenko@gmail.com) if you started using it, have any questions or it inspired you to write a tool of your own.