Filter Netfworking by Operaton System

Network
Filtering by Operating System
by
Avleen Vig
02/16/2006
You manage a heterogeneous network and want
to provide different Quality of Service agreements and network restrictions
based on the client operating system. With pf and altq, you can now limit the
amount of bandwidth available to users of different operating systems, or force
outbound web traffic through a transparent filtering proxy. This article
describes how to install pf, altq, and Squid on your FreeBSD router and web
proxy to achieve these goals.
Mission Objective
In an ideal environment, there would be no
need for bandwidth shaping, OS fingerprint-based filtering, or even Quality of
Service (QoS). Several factors in the real world require a change of game plan.
Bandwidth is not free, and many ISPs charge customers based on bandwidth usage.
Worms, viruses,
and compromised systems can all lead to higher bandwidth costs. In the wake of
the
W32.Slammer
worm, which saturated the connections of infected networks, many companies saw
their monthly connectivity bills skyrocket due to the worm's traffic.
Filtering your connections based on
operating system can go partway to helping keep such situations from running
away. While I will focus on filtering traffic from Windows systems, this
process can equally apply to BSD, Linux, Mac OS, or a host of other operating systems
listed in the
pf.os
file on your system. This may be especially useful to people running older
versions of OSes that have not or cannot be patched but still require some
network connectivity.
As an extension of transparent filtering,
content filtering is also possible, with tools such as squidGuard allowing
children and corporate desktops alike to browse in relative safety.
Tools
of the Trade
During my research for this article,
several people asked me why I chose to use BSD, pf, altq, and Squid for this
task. Other tools come close to providing the required functionality, but none
offers to fill the requirements as readily as these. Linux and iptables can
work with Squid to provide a transparent proxy but cannot filter connections by
operating system. Though other proxy servers exist, Squid is one of the best
available today.
It is important to note that OS
fingerprinting works only on TCP SYN packets, which initiate TCP sessions, and
not on currently established connections or UDP sessions. While this will not
be a problem for most systems and network administrators, you may want to pay
more attention to your UDP filtering rules.
Installing
pf and altq
pf and altq provide packet filtering and
bandwidth shaping, respectively. Their relationship is not unlike that between IPFIREWALL
and DUMMYNET, where the same rules file configures both pf and altq.

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有