Two New ClearOS Apps Now in Beta!
Two new apps are now available for testing: the Protocol Filter and the Application Filter. These free apps let you block unwanted traffic on your network, for example:
- With the Protocol Filter, you can block BitTorrent, VPNs and other network protocols.
- With the Application Filter, you can block Facebook, Netflix, Snapchat and other apps / web sites.
Installing the Apps
For this first beta, the apps can only be installed via the command line:
Once installed, you can configure the apps by navigating under Gateway -> Filtering in the ClearOS menu system. From there, it's a matter of selecting which applications and protocols you want to block from end users. Both apps also have a white list feature in case you want to exempt certain IPs from the filtering. Here are the links to the User Guide:
- Protocol Filter
- Application Filter
Feedback
Please provide any feedback that you have in the forums. Here are some of the things you should know:
- Protocol detection is still a moving target, so any feedback is appreciated!
- Tor (protocol) detection produces too many false positives. It will be removed... maybe.
- The list of applications is set, you cannot add your own at the moment.
Under the Hood
If you are a command line guy, you will notice references to Netify. This is the underlying engine that detects applications and protocols on the network. Netify will be a ClearOS app released later this year and it will be an app to help administrators monitor and manage their local networks. Netify will provide not only protocol and application filtering, but also detailed network analysis performed in the cloud:
- Bandwidth Usage by Device
- Malware Detection
- Device Discovery
- DNS Reporting
- Connection Tracking
You should also know that the underlying Netify engine has integrated the open source nDPI Deep Packet Inspection library from ntop. You can thank the ntop team for being excellent open source stewards!
Who Published the Apps?
You may also notice that the two ClearOS apps were developed by eGloo. For those of you who have been around the ClearOS Community awhile, you will recognize a few names involved with eGloo - some of the core ClearOS developers! eGloo will be doing independent skunkworks projects for ClearOS from time to time.
-Edited by NickH 29/11/2016 to fix links
Two new apps are now available for testing: the Protocol Filter and the Application Filter. These free apps let you block unwanted traffic on your network, for example:
- With the Protocol Filter, you can block BitTorrent, VPNs and other network protocols.
- With the Application Filter, you can block Facebook, Netflix, Snapchat and other apps / web sites.
Installing the Apps
For this first beta, the apps can only be installed via the command line:
yum install app-protocol-filter app-application-filterOnce installed, you can configure the apps by navigating under Gateway -> Filtering in the ClearOS menu system. From there, it's a matter of selecting which applications and protocols you want to block from end users. Both apps also have a white list feature in case you want to exempt certain IPs from the filtering. Here are the links to the User Guide:
- Protocol Filter
- Application Filter
Feedback
Please provide any feedback that you have in the forums. Here are some of the things you should know:
- Protocol detection is still a moving target, so any feedback is appreciated!
- Tor (protocol) detection produces too many false positives. It will be removed... maybe.
- The list of applications is set, you cannot add your own at the moment.
Under the Hood
If you are a command line guy, you will notice references to Netify. This is the underlying engine that detects applications and protocols on the network. Netify will be a ClearOS app released later this year and it will be an app to help administrators monitor and manage their local networks. Netify will provide not only protocol and application filtering, but also detailed network analysis performed in the cloud:
- Bandwidth Usage by Device
- Malware Detection
- Device Discovery
- DNS Reporting
- Connection Tracking
You should also know that the underlying Netify engine has integrated the open source nDPI Deep Packet Inspection library from ntop. You can thank the ntop team for being excellent open source stewards!
Who Published the Apps?
You may also notice that the two ClearOS apps were developed by eGloo. For those of you who have been around the ClearOS Community awhile, you will recognize a few names involved with eGloo - some of the core ClearOS developers! eGloo will be doing independent skunkworks projects for ClearOS from time to time.
-Edited by NickH 29/11/2016 to fix links
Share this post:
Responses (22)
-
Accepted Answer
walter ferry dissmann wrote:
I have an issue with my ClearOS Community.
Both, application and protocol always on Status: Stopped.
Tried to restart server, unninstall and install again.. nothing works!
Where can i see logs or see what is causing the problem?
Thanks!
The systemd log should have more information: systemctl status netify-fwa -l -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Duncan Colhoun wrote:
Some feedback
I setup the protocol filter to block Openvpn and Tor. I was able to use both on the network.
Both Openvpn and Tor connected without any problem.
Do these apps produce any logs?
Tor detection is dodgy. As noted in the announcement, it will likely be removed. As for OpenVPN, I'll try to duplicate the issue! I'll also ask about providing more logging. -
Accepted Answer
I just added a feature request for more logging - https://github.com/eglooca/app-netify-fwa/issues/2 -
Accepted Answer
So I just tried OpenVPN. It works as expected on the default ports (both UDP and TCP 1194), but detection did not work on alternate ports. I'll ping the expert on the topic.
Tip: if you are a command line person, you can see the live blocked protocol entries by running:
# inbound
watch iptables -t mangle -L NETIFY_FWA_PROTOCOL_INGRESS -n -v
# outbound
watch iptables -t mangle -L NETIFY_FWA_PROTOCOL_EGRESS -n -v
It's the same for the blocked applications, but replace PROTOCOL with SERVICE:
# inbound
watch iptables -t mangle -L NETIFY_FWA_SERVICE_INGRESS -n -v
# outbound
watch iptables -t mangle -L NETIFY_FWA_SERVICE_EGRESS -n -v
-
Accepted Answer
-
Accepted Answer
Hi Duncan,
Duncan Colhoun wrote:
Thanks for the follow up. I should have said I was running OpenVPN on non default port, as I can block default port with firewall.
It looks like a good chunk of the protocol analysis is done across all ports - in fact that's one of the key messages in the deep packet inspection library used by the ClearOS apps. However, there are some protocols - like OpenVPN - that are locked into particular ports in order to avoid over-matching (aka false positives).
We have started creating a database of information for all the 160+ protocols, and we hope to make note of any protocols that are locked into particular ports. -
Accepted Answer
Duncan Colhoun wrote:
Any movement on this?
So far, the feedback has been very good with not too many reported cases of false positives. The Tor protocol detection did bite us in a recent support incident - it was mistakenly blocking a web site. In the next update, we'll be ripping out the Tor detection ... it's not ready for primetime.
On the documentation side of things, we're chipping away at the protocol information database -- it's a tedious and somewhat slow process.
On the technical side of the equation, we're in the process of adding:
- A command line tool for status information
- Support for adding applications via configuration file -
Accepted Answer
-
Accepted Answer
Peter Baldwin wrote:
walter ferry dissmann wrote:
I have an issue with my ClearOS Community.
Both, application and protocol always on Status: Stopped.
Tried to restart server, unninstall and install again.. nothing works!
Where can i see logs or see what is causing the problem?
Thanks!
The systemd log should have more information: systemctl status netify-fwa -l
Here is it:
● netify-fwa.service - Netify FWA Daemon
Loaded: loaded (/usr/lib/systemd/system/netify-fwa.service; enabled; vendor p reset: disabled)
Active: failed (Result: resources) since Thu 2016-09-22 10:35:24 BRT; 58min a go
Process: 8341 ExecStart=/usr/sbin/netify-fwa (code=exited, status=0/SUCCESS)
Main PID: 5865 (code=exited, status=1/FAILURE)
Sep 22 10:35:23 fwcs.online.linux systemd[1]: Starting Netify FWA Daemon...
Sep 22 10:35:24 fwcs.online.linux php[8341]: Netify Firewall Agent v1.0 starting ...
Sep 22 10:35:24 fwcs.online.linux netify-fwa[8341]:
Sep 22 10:35:24 fwcs.online.linux netify-fwa[8343]: Exception: netify-fwa.php:28 5: Unable to decode state file: /var/lib/netify-fwa/state.dat
Sep 22 10:35:24 fwcs.online.linux netify-fwa[8343]:
Sep 22 10:35:24 fwcs.online.linux systemd[1]: PID 8343 read from file /var/run/n etify-fwa/netify-fwa.pid does not exist or is a zombie.
Sep 22 10:35:24 fwcs.online.linux systemd[1]: Failed to start Netify FWA Daemon.
Sep 22 10:35:24 fwcs.online.linux systemd[1]: Unit netify-fwa.service entered fa iled state.
Sep 22 10:35:24 fwcs.online.linux systemd[1]: netify-fwa.service failed.
Wierd is that i see netifyd running on the process viewer.
Thanks for the reply man! -
Accepted Answer
Marcel van Leeuwen wrote:
I'm not familiar with this app but it's look there is something wrong with "state.dat" file
Sep 22 10:35:24 fwcs.online.linux netify-fwa[8343]: Exception: netify-fwa.php:285: Unable to decode state file: /var/lib/netify-fwa/state.dat
Yup, just like that, i did copy another state.dat from another Firewall i have in my network... and it just works
For those who might have this problem with that system msg, just copy this:
a:0:{}
into your state.dat and be happy again! -
Accepted Answer
Thanks for the detective work! I have added the issue to the Github tracker: https://github.com/eglooca/netify-fwa/issues/1 -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
@Peter,
Links to the User Guides are broken.
Nick
The Correct Links are:
- Protocol Filter
- Application Filter -
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
@Tokolosh
Thanks. I've fixed the links in the first post.
Thanks for fixing the broken documentation links... I was mostly unavailable for the last few weeks!
I also just noticed that the docs suggested having the clearos-contribs-testing repository enabled. That was bad advice and probably resulted in having a broken app. The current netifyd RPM in clearos-contribs-testing treats applications a bit differently so it's incompatible with the existing Application Filter app. In the old ClearOS 6 days, enabling the "X-testing" repositories was relatively safe but we can't really suggest that anymore with ClearOS 7. The X-testing repositories in ClearOS 7 are unstable and - despite the misleading name - should be considered developer repositories, not testing repositories. Why? All RPMs coming out the build system now land in the X-testing repos before developers have even had a chance to sanity check the result! Yes, we're more careful with what goes out to the build system, but RPMs in X-testing have not been QAed properly.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »