diff options
author | Ermal Luçi <eri@pfsense.org> | 2008-08-02 22:24:45 +0000 |
---|---|---|
committer | Ermal Luçi <eri@pfsense.org> | 2008-08-02 22:24:45 +0000 |
commit | 4ae45b1093b1a2fda98b263a5cffce9689ad109a (patch) | |
tree | c770e69156a527cbe1deb11a288dc3315c9423ca /usr/local/share/protocols/h323.pat | |
parent | b5a7edb1ca42023606cde872cb8b5339d3b9837a (diff) | |
download | pfsense-4ae45b1093b1a2fda98b263a5cffce9689ad109a.zip pfsense-4ae45b1093b1a2fda98b263a5cffce9689ad109a.tar.gz |
Add protocol definitions needed by ipfw-classifyd. Basically they are copied from the ipfw-classifyd pfPort which inherits them from l7-filter project on sf.net.
Diffstat (limited to 'usr/local/share/protocols/h323.pat')
-rw-r--r-- | usr/local/share/protocols/h323.pat | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/usr/local/share/protocols/h323.pat b/usr/local/share/protocols/h323.pat new file mode 100644 index 0000000..d3f59c5 --- /dev/null +++ b/usr/local/share/protocols/h323.pat @@ -0,0 +1,35 @@ +# H.323 - Voice over IP. +# Pattern attributes: ok veryfast fast +# Protocol groups: voip itu-t_standard +# Wiki: http://www.protocolinfo.org/wiki/H.323 +# +# This pattern is written without knowledge of the principles of H.323. +# It has only been tested with gnomemeeting and may not work for other +# clients. +# +# Also, it has been reported that: +# "the pattern ... match[es] only first H.323 stream (conntrack for H.323 was +# enabled). Also the major chunk of traffic was of RTP which went untracked." +# +# Also, it may very well match other things that use TPKT and +# Q.931. + +# Note that to take full advantage of this pattern, you will need to +# have connection tracking of H.323 support in your kernel. This +# support is not in the stock kernel. A patch can be found at +# http://netfilter.org + +h323 +# TPKT format: http://www.ietf.org/rfc/rfc1006.txt +# \x03 = TPKT version. It was 3 in May 1987 and gnomemeeting still uses 3. +# ..? = null reserved byte and packet length field. +# Q.931 format: http://www.freesoft.org/CIE/Topics/126.htm +# \x08 = Q.931 +# . = length of call reference +# The next byte was: \x18 = message sent from originating side. +# But based on experimentation, it seems that just . is better. +# .?.?.?.?.?.?.?.?.?.?.?.?.?.?.? = call reference (0-15 bytes (0 for nulls)) +# \x05 = setup message +# +# Yup, it doesn't actually include any H.323 protocol information. +^\x03..?\x08...?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\x05 |