IP Stories

“A Written IP Related Activities”

Archive for April 8th, 2008

Beda IOS Version NBAR not work :) though yes matches !

Posted by a. Rahman Isnaini r. Sutan on April 8, 2008

Meski Config benar, dan matches ternyata tanpa Technology (T) version IOS dak jalan Policy Filter Regex - NBAR dak liwat :) dan harus sesuai dengan petunjuk primbon Mbah Kung Chamber.. Oh ya kalo ada teman2 yang convert ke JunOS atau Mikrotik Mangle, dan IP Firewall… mohon dishare..

c7200-is-mz.123-12.bin

Service-policy input: FILTER-FITNA

Class-map: URL-FITNA (match-any)
68 packets, 66099 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url “fitna*”
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url “*fitna*”
68 packets, 66099 bytes
5 minute rate 0 bps
Match: protocol http url “*fitna”
0 packets, 0 bytes
5 minute rate 0 bps

c3660-is-mz.122-2.T.bin

Service-policy input: FILTER-FITNA

Class-map: URL-FITNA (match-any)
234 packets, 132795 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url “*fitna*”
94 packets, 49737 bytes
5 minute rate 0 bps
Match: protocol http url “*fitna”
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url “fitna*”
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url “*spysurfing.com*”
140 packets, 83058 bytes
5 minute rate 0 bps
Match: protocol http url “spysurfing.com*”
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url “*spysurfing.com”
0 packets, 0 bytes
5 minute rate 0 bps
QoS Set
ip dscp 5
Packets marked 234

Anwar, … sama spt di Jt Padang … baru diapply disalah satu gateway saja :) atas e harus diupgrade :))

Wassalam,

a. rahman isnaini r.sutan

Posted in Cisco, government, policy, security | 1 Comment »

Cisco NBAR ACL to Match FITNA URL STRING

Posted by a. Rahman Isnaini r. Sutan on April 8, 2008

sh policy-map interface f0/0.6
FastEthernet0/0.6

Service-policy input: FILTER-FITNA

Class-map: URL-FITNA (match-any)
234 packets, 132795 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url “*fitna*”
94 packets, 49737 bytes
5 minute rate 0 bps
Match: protocol http url “*fitna”
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url “fitna*”
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url “*spysurfing.com*”
140 packets, 83058 bytes
5 minute rate 0 bps
Match: protocol http url “spysurfing.com*”
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url “*spysurfing.com”
0 packets, 0 bytes
5 minute rate 0 bps
QoS Set
ip dscp 5
Packets marked 234

Class-map: class-default (match-any)
6129 packets, 802498 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any

sh access-lists 150
Extended IP access list 150
permit ip any any dscp 5 (234 matches)
deny ip any any (5782 matches)

Wassalaam,

a. rahman isnaini r.sutan

Posted in Cisco, government, policy, security, social | No Comments »

Cisco NBAR [Regular Expression - Regex] Block Specific URL String

Posted by a. Rahman Isnaini r. Sutan on April 8, 2008

Sehubungan dengan keluarnya peraturan menteri serta kegelisahan para pengakses Youtube, yang mengharuskan setiap ISP block youtube sampai keakar2nya. Berikut ada sekelumit solution dari Cisco..

Proven, mampu meblock setiap pencarian dengan kata2 fitna, terkecuali sudah dalam bentuk video, maka string value videonya harus ditambahkan dalam list class-map. Jadi ibarat cerita rekan2 Opisboy membunuh tikus tepat pada jantungnya :))

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

(As per Request) English version :

As the reaction for Fitna Movie by Geert Wilder which produced in Holland which contains unwanted interpretation of islamic society and their behavior, Indonesian Government released the instruction for any of ISP/NAP in this country to block the content provider who incidently or not hosted Fitna Movie.

Hereby we’d like as the network engineer spend of our time to suggest a solution which might be usefull for users/ISPs/NAPs to block only any of file (movie, document, search engine result, etc) that contains fitna or other key string on it.

As we all know that content provider who has hosted that kind of file, still has another positive part i.e education, even islamic files, etc.

This config only for those who has Cisco Router on their core/distribution/access network, should any body has an idea how to ‘translate’ to JunOS or Linux/Unix it’d be good.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Steps

1. Config Class Map untuk match apa saja dalam baris protocol

class-map match-any URL-FITNA
match protocol http url “*fitna*”
match protocol http url “*fitna”
match protocol http url “fitna*”
match protocol http url “*spysurfing.com*”
match protocol http url “spysurfing.com*”
match protocol http url “*spysurfing.com”

2. Config Policy Map untuk Mark Traffic FITNA ini (DSCP x) (question : koq DSCP 10 jadi AF11 yah ?, makanya pakai 5).
policy-map FILTER-FITNA
class URL-FITNA
set ip dscp 5

3. Buat Access _ List untuk match marking traffic (DSCP) sesuai dengan Policy Route-Map yang akan di Null.

access-list 150 permit ip any any dscp 5
access-list 150 deny ip any any

4. Buat Route-Map untuk Null traffic sesuai access-list
route-map FITNA-BLOCK permit 10
match ip address 150
set interface Null0

5. Apply Service Policy di Interface LAN-SIAPA-YANG-MAU-AKSES.. juga apply IP Policy ROute-Map
int f0/0.6
desc LAN-ENGINEER-ACCESS-URL-STRING-FITNA
ip policy route-map FITNA-BLOCK
service-policy input FILTER-FITNA

Untuk Dikshie, CPU increase sementara dengan 1 PC access tidak ada. Mungkin dengan user banyak akan nambah resources, dan masih dalam pengamatan..

Wassalam

a. rahman isnaini r.sutan

Posted in Cisco, security, social | 8 Comments »