Deep Packet Inspection Using Layer 7 Traffic Shaping

Deep packet inspection

The Layer 7 tab in the Traffic Shaper in pfSense 2.1.

For quite a while, traffic shaping has been considered an integral part of any good firewall. This necessitates some means of classifying the traffic so the traffic can then be policed. The traditional method of traffic shaping centered on classifying traffic based on network and transport data fields, not using deep packet inspection. This usually centered around the following elements:

  • Service class marks
  • Source and/or destination IP addresses
  • Ports

However, these methods are not always effective in traffic classification. This is especially the case with P2P traffic, which often uses random, non-default ports. An HTTP server utilizing port hopping and encrypted traffic may also defy level 3 (network) and level 4 (transport) classification.


Enter Layer 7 Deep Packet Inspection

One possible solution to the shortcomings of network and transport level classification is layer 7 (L7) classification, which involves deep packet inspection. In L7 classification, user traffic can be identified based on an application pattern, which is a sort of signature used by an application during its communications. All applications either use a specific application pattern or may share the pattern with other applications.

Deep packet inspection

Configuring P2P options in the wizard.

IPCop is a good example of utilizing L7 deep packet inspection and classification. IPCop is a Linux-based firewall that was originally a fork of the SmoothWall firewall. Although not an official part of IPCop, an advanced QoS (Quality of Service) add-on is available. But while IPCop can support classification by application protocol, it does not allow the definition of shaping policies. Rather, it can only block such traffic, which greatly limits the use of this feature.

pfSense, however, has fully incorporated L7 deep packet inspection and classification into its traffic shaper. Traffic shaping is achieved in pfSense through AltQ, which makes available Class Based Queueing (CBQ), Priority Queueing (PRIQ) and Hierarchical Fair Service Curve (HFSC). All of these can be configured automatically through the use of a wizard. Beginning with pfSense 2.0, an additional shaping mechanism called Dummynet became available. Dummynet was originally designed for the ipfw firewall, and has a related application called ipfw-classifyd. This application is able to produce blocking rules for incoming traffic or perform traffic shaping by assigning IP packets to an AltQ queue or a Dummynet pipe or queue. It was modified to work with the pf firewall and is the component responsible for L7 classification. It also allows different types of operations to be applied to an identified application protocol, usually either blocking it or assigning it to a limiter or queue.

In order to invoke ipfw-classifyd, pf uses divert sockets. Essentially, it interrupts the normal flow of packets and sends them to a listening socket (ipfw-classifyd). Overhead is kept to a minimum by teaching pf about the actions to be taken ahead of time and by limitng the number of packets that are diverted from the kernel to the application. All of this is controlled via a graphical interface, in which the user must specify at least one protocol (but may specify more than one). The user can create L7 rules groups containing one or more L7 rules. The user can take any one of the created rules groups and assign it a firewall rule.

But with pfSense, the user does not have to explicitly create L7 rules groups. This is because the Traffic Shaper Wizard in versions 2.0 and newer invokes L7 classification in the Peer-to-Peer and Network Games sections. In both sections, the select box on the top of the page can be enabled, and the related protocols or applications can be blocked one by one. Finally, the user can extend the functionality of L7 packet inspection by uploading new application patterns to the system. This feature is important when the user wants to block an application that uses a protocol pattern that is not defined in the system. If such a pattern is uploaded to the system, it only appears in the list of protocols when a container is created or modified. It does not affect the Traffic Shaper Wizard, which remains unchanged.


Other Articles in This Series:

Traffic Shaping in pfSense: What it Does
Traffic Shaping Wizard: Introduction
Queue Configuration in pfSense 2.1
Traffic Shaping Rules in pfSense 2.1
Traffic Shaping Rules in pfSense 2.1
Layer 7 Rules Groups in pfSense 2.1
Bandwidth Limiting with the pfSense Limiter

External Links:

L7 Classification and Policing in the pfSense Platform – a scholarly paper about the addition of layer 7 deep packet inspection to pfSense 2.0.

Ad Links:

Layer 7 Rules Groups in pfSense 2.1

Layer 7

Adding a layer 7 rules group in pfSense 2.1.

In the previous article, I described how to create a traffic shaping rule to place BitTorrent traffic into the P2P queue. Another way of directing traffic into queues is to create a layer 7 rules group. In this article, I will describe how to do this.

Traditionally, network traffic is identified by looking at IP packet fields or by referring to which port is being used. In the OSI network model, this method is limited to looking at layers 3 and 4. This is highly constricting, but fortunately there is a better way. We can inspect packets at the application layer (also known as deep packet inspection), which provides us with a powerful solution for controlling traffic based on application patterns. Since this functionality is built into pfSense 2.0 and later, we can easily create rules for layer 7 inspection.


Creating an Layer 7 Rules Group

As an illustration, I will again turn to the example of limiting bandwidth used by BitTorrent traffic by placing it in the P2P queue. First, navigate to Firewall -> Traffic Shaper, and click on the Layer 7 tab. Once there, click on the “plus” button to add a new Layer 7 rule. At “Enable/Disable“, check the checkbox to enable this layer 7 container. At “Name“, you can enter a name, and at “Description“, you can enter a description that will not be parsed. At “Rule(s)“, press the “plus” button to add one or more rules. There are three dropdown boxes: “Protocol“, “Structure“, and “Behaviour“. For “Protocol“, you can select any one of dozens of protocols; I won’t list all of them here, but some of the more significant ones are:

  • DHCP: Dynamic Host Configuration Protocol, an application level netwprk protocol used to configure devices that are connected to a network so they can communicate on that network using the Internet Protocol (IP).
  • Finger: The Finger user information protocol, which provides basic user information on some systems.
  • HTTP: Hypertext Transfer Protocol, the main application protocol for the World Wide Web.
  • UUCP: Unix-to-Unix Copy, a suite of computer programs and protocols allowing remote execution of commands and transfer of files, email, and netnews between computers.

In our case, we’ll choose “bittorrent” as the protocol. Under “Structure“, we can choose either “action” or “queue”. “action” seems to have one option under “Behaviour“: “block”. Since we don’t want to block bittorrent traffic, but instead want to put it in the P2P queue, we select “queue”. For “Behavior“, we select “qP2P” (the P2P queue). We could add another rule, but instead we will press the “Save” button to save the rules group, and “Apply changes” on the next page.

This covers how to add an layer 7 rules group. But there is an alternative way of adding a layer 7 rules group: when you first click on the “Layer 7” tab, there should be a hyperlink to add new layer 7 protocol patterns. Click on this link, then on the “Add layer7 pattern” page, press the “Choose” button and select a file with the file dialog box. When you are done, press the “Upload Pattern file” button to upload the file.

This article should be enough to get you started with using layer 7 rules groups, but if you want a more in-depth explanation of Layer 7 traffic control and how it was implemented in pfSense, you may want to read this scholarly paper on L7 in the pfSense platform (also linked to in the external links section).


Other Articles in This Series:

Traffic Shaping in pfSense: What it Does
Traffic Shaping Wizard: Introduction
Queue Configuration in pfSense 2.1
Traffic Shaping Rules in pfSense 2.1
Traffic Shaping Rules in pfSense 2.1
Bandwidth Limiting with the pfSense Limiter
Deep Packet Inspection Using Layer 7 Traffic Shaping

External Links:

L7 Classification and Policing in the pfSense Platform – a more comprehensive explanation of layer 7 rules and their integration into pfSense.

Traffic Shaping Guide at doc.pfsense.org

Ad Links:


© 2013 David Zientara. All rights reserved. Privacy Policy