Forums

Resolved
2 votes
Two New ClearOS Apps Now in Beta!
Two new apps are now available for testing: the Protocol Filter and the Application Filter. These free apps let you block unwanted traffic on your network, for example:

- With the Protocol Filter, you can block BitTorrent, VPNs and other network protocols.
- With the Application Filter, you can block Facebook, Netflix, Snapchat and other apps / web sites.

Installing the Apps
For this first beta, the apps can only be installed via the command line:

yum install app-protocol-filter app-application-filter

Once installed, you can configure the apps by navigating under Gateway -> Filtering in the ClearOS menu system. From there, it's a matter of selecting which applications and protocols you want to block from end users. Both apps also have a white list feature in case you want to exempt certain IPs from the filtering. Here are the links to the User Guide:

- Protocol Filter
- Application Filter

Feedback
Please provide any feedback that you have in the forums. Here are some of the things you should know:

- Protocol detection is still a moving target, so any feedback is appreciated!
- Tor (protocol) detection produces too many false positives. It will be removed... maybe.
- The list of applications is set, you cannot add your own at the moment.

Under the Hood
If you are a command line guy, you will notice references to Netify. This is the underlying engine that detects applications and protocols on the network. Netify will be a ClearOS app released later this year and it will be an app to help administrators monitor and manage their local networks. Netify will provide not only protocol and application filtering, but also detailed network analysis performed in the cloud:

- Bandwidth Usage by Device
- Malware Detection
- Device Discovery
- DNS Reporting
- Connection Tracking

You should also know that the underlying Netify engine has integrated the open source nDPI Deep Packet Inspection library from ntop. You can thank the ntop team for being excellent open source stewards!

Who Published the Apps?
You may also notice that the two ClearOS apps were developed by eGloo. For those of you who have been around the ClearOS Community awhile, you will recognize a few names involved with eGloo - some of the core ClearOS developers! eGloo will be doing independent skunkworks projects for ClearOS from time to time.

-Edited by NickH 29/11/2016 to fix links
Thursday, June 16 2016, 06:31 PM
Share this post:
Responses (22)
  • Accepted Answer

    Thursday, December 01 2016, 03:52 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    @Tokolosh
    Thanks. I've fixed the links in the first post.


    Thanks for fixing the broken documentation links... I was mostly unavailable for the last few weeks!

    I also just noticed that the docs suggested having the clearos-contribs-testing repository enabled. That was bad advice and probably resulted in having a broken app. The current netifyd RPM in clearos-contribs-testing treats applications a bit differently so it's incompatible with the existing Application Filter app. In the old ClearOS 6 days, enabling the "X-testing" repositories was relatively safe but we can't really suggest that anymore with ClearOS 7. The X-testing repositories in ClearOS 7 are unstable and - despite the misleading name - should be considered developer repositories, not testing repositories. Why? All RPMs coming out the build system now land in the X-testing repos before developers have even had a chance to sanity check the result! Yes, we're more careful with what goes out to the build system, but RPMs in X-testing have not been QAed properly.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, November 29 2016, 12:31 PM - #Permalink
    Resolved
    0 votes
    @Tokolosh
    Thanks. I've fixed the links in the first post.
    The reply is currently minimized Show
  • Accepted Answer

    Tokolosh
    Tokolosh
    Offline
    Monday, November 28 2016, 09:55 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    @Peter,
    Links to the User Guides are broken.
    Nick


    The Correct Links are:

    - Protocol Filter
    - Application Filter
    The reply is currently minimized Show
  • Accepted Answer

    Monday, November 28 2016, 07:01 PM - #Permalink
    Resolved
    0 votes
    @Peter,
    Links to the User Guides are broken.
    Nick
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Monday, November 28 2016, 06:19 PM - #Permalink
    Resolved
    0 votes
    hello peter can you please tell me is this version for only clearos7 or can work on 6?

    also i need to know how to uninstall it because you said only the installation only.

    thanks you
    The reply is currently minimized Show
  • Accepted Answer

    alahwany
    alahwany
    Offline
    Monday, November 28 2016, 05:35 PM - #Permalink
    Resolved
    0 votes
    can you please tell me how to uninstall it if i found some problem after installing it
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, September 27 2016, 04:22 PM - #Permalink
    Resolved
    0 votes
    Thanks for the detective work! I have added the issue to the Github tracker: https://github.com/eglooca/netify-fwa/issues/1
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, September 24 2016, 08:35 PM - #Permalink
    Resolved
    0 votes
    Marcel van Leeuwen wrote:

    I'm not familiar with this app but it's look there is something wrong with "state.dat" file


    Sep 22 10:35:24 fwcs.online.linux netify-fwa[8343]: Exception: netify-fwa.php:285: Unable to decode state file: /var/lib/netify-fwa/state.dat


    Yup, just like that, i did copy another state.dat from another Firewall i have in my network... and it just works :)

    For those who might have this problem with that system msg, just copy this:

    a:0:{}


    into your state.dat and be happy again! :)
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, September 22 2016, 04:14 PM - #Permalink
    Resolved
    1 votes
    I'm not familiar with this app but it's look there is something wrong with "state.dat" file


    Sep 22 10:35:24 fwcs.online.linux netify-fwa[8343]: Exception: netify-fwa.php:285: Unable to decode state file: /var/lib/netify-fwa/state.dat
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, September 22 2016, 02:37 PM - #Permalink
    Resolved
    0 votes
    Peter Baldwin wrote:

    walter ferry dissmann wrote:

    I have an issue with my ClearOS Community.

    Both, application and protocol always on Status: Stopped.

    Tried to restart server, unninstall and install again.. nothing works! :(

    Where can i see logs or see what is causing the problem?

    Thanks! :)


    The systemd log should have more information: systemctl status netify-fwa -l


    Here is it:
    ● netify-fwa.service - Netify FWA Daemon
    Loaded: loaded (/usr/lib/systemd/system/netify-fwa.service; enabled; vendor p reset: disabled)
    Active: failed (Result: resources) since Thu 2016-09-22 10:35:24 BRT; 58min a go
    Process: 8341 ExecStart=/usr/sbin/netify-fwa (code=exited, status=0/SUCCESS)
    Main PID: 5865 (code=exited, status=1/FAILURE)

    Sep 22 10:35:23 fwcs.online.linux systemd[1]: Starting Netify FWA Daemon...
    Sep 22 10:35:24 fwcs.online.linux php[8341]: Netify Firewall Agent v1.0 starting ...
    Sep 22 10:35:24 fwcs.online.linux netify-fwa[8341]:
    Sep 22 10:35:24 fwcs.online.linux netify-fwa[8343]: Exception: netify-fwa.php:28 5: Unable to decode state file: /var/lib/netify-fwa/state.dat
    Sep 22 10:35:24 fwcs.online.linux netify-fwa[8343]:
    Sep 22 10:35:24 fwcs.online.linux systemd[1]: PID 8343 read from file /var/run/n etify-fwa/netify-fwa.pid does not exist or is a zombie.
    Sep 22 10:35:24 fwcs.online.linux systemd[1]: Failed to start Netify FWA Daemon.
    Sep 22 10:35:24 fwcs.online.linux systemd[1]: Unit netify-fwa.service entered fa iled state.
    Sep 22 10:35:24 fwcs.online.linux systemd[1]: netify-fwa.service failed.


    Wierd is that i see netifyd running on the process viewer.

    Thanks for the reply man! :)
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, September 22 2016, 01:35 PM - #Permalink
    Resolved
    1 votes
    walter ferry dissmann wrote:

    I have an issue with my ClearOS Community.

    Both, application and protocol always on Status: Stopped.

    Tried to restart server, unninstall and install again.. nothing works! :(

    Where can i see logs or see what is causing the problem?

    Thanks! :)


    The systemd log should have more information: systemctl status netify-fwa -l
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, September 21 2016, 07:32 PM - #Permalink
    Resolved
    0 votes
    I have an issue with my ClearOS Community.

    Both, application and protocol always on Status: Stopped.

    Tried to restart server, unninstall and install again.. nothing works! :(

    Where can i see logs or see what is causing the problem?

    Thanks! :)
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 20 2016, 07:28 PM - #Permalink
    Resolved
    0 votes
    Duncan Colhoun wrote:

    Any movement on this?


    So far, the feedback has been very good with not too many reported cases of false positives. The Tor protocol detection did bite us in a recent support incident - it was mistakenly blocking a web site. In the next update, we'll be ripping out the Tor detection ... it's not ready for primetime.

    On the documentation side of things, we're chipping away at the protocol information database -- it's a tedious and somewhat slow process.

    On the technical side of the equation, we're in the process of adding:
    - A command line tool for status information
    - Support for adding applications via configuration file
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, July 19 2016, 11:42 AM - #Permalink
    Resolved
    0 votes
    Hi Peter

    Any movement on this?
    The reply is currently minimized Show
  • Accepted Answer

    Monday, June 27 2016, 06:46 PM - #Permalink
    Resolved
    0 votes
    Hi Duncan,

    Duncan Colhoun wrote:

    Thanks for the follow up. I should have said I was running OpenVPN on non default port, as I can block default port with firewall.


    It looks like a good chunk of the protocol analysis is done across all ports - in fact that's one of the key messages in the deep packet inspection library used by the ClearOS apps. However, there are some protocols - like OpenVPN - that are locked into particular ports in order to avoid over-matching (aka false positives).

    We have started creating a database of information for all the 160+ protocols, and we hope to make note of any protocols that are locked into particular ports.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, June 21 2016, 04:20 AM - #Permalink
    Resolved
    0 votes
    Hi Peter

    Thanks for the follow up. I should have said I was running OpenVPN on non default port, as I can block default port with firewall.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, June 21 2016, 01:01 AM - #Permalink
    Resolved
    0 votes
    So I just tried OpenVPN. It works as expected on the default ports (both UDP and TCP 1194), but detection did not work on alternate ports. I'll ping the expert on the topic.

    Tip: if you are a command line person, you can see the live blocked protocol entries by running:


    # inbound
    watch iptables -t mangle -L NETIFY_FWA_PROTOCOL_INGRESS -n -v
    # outbound
    watch iptables -t mangle -L NETIFY_FWA_PROTOCOL_EGRESS -n -v


    It's the same for the blocked applications, but replace PROTOCOL with SERVICE:


    # inbound
    watch iptables -t mangle -L NETIFY_FWA_SERVICE_INGRESS -n -v
    # outbound
    watch iptables -t mangle -L NETIFY_FWA_SERVICE_EGRESS -n -v
    The reply is currently minimized Show
  • Accepted Answer

    Monday, June 20 2016, 05:13 PM - #Permalink
    Resolved
    0 votes
    I just added a feature request for more logging - https://github.com/eglooca/app-netify-fwa/issues/2
    The reply is currently minimized Show
  • Accepted Answer

    Monday, June 20 2016, 05:08 PM - #Permalink
    Resolved
    0 votes
    Duncan Colhoun wrote:

    Some feedback

    I setup the protocol filter to block Openvpn and Tor. I was able to use both on the network.

    Both Openvpn and Tor connected without any problem.

    Do these apps produce any logs?


    Tor detection is dodgy. As noted in the announcement, it will likely be removed. As for OpenVPN, I'll try to duplicate the issue! I'll also ask about providing more logging.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, June 18 2016, 07:16 AM - #Permalink
    Resolved
    0 votes
    Some feedback

    I setup the protocol filter to block Openvpn and Tor. I was able to use both on the network.

    Both Openvpn and Tor connected without any problem.

    Do these apps produce any logs?
    The reply is currently minimized Show
  • Accepted Answer

    Friday, June 17 2016, 01:25 PM - #Permalink
    Resolved
    0 votes
    Yes, only ClearOS 7 at the moment. We should be able to backport the apps to ClearOS 6 though... good idea.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, June 17 2016, 07:06 AM - #Permalink
    Resolved
    0 votes
    Hi Peter

    Are these for COS7 only?
    The reply is currently minimized Show
Your Reply