Differences

This shows you the differences between two versions of the page.

--- en:dpi:dpi_options:opt_filtration:filtration_ctrl:start [2023/11/27 15:06] – elena.krasnobryzh
+++ en:dpi:dpi_options:opt_filtration:filtration_ctrl:start [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
@@ Line 1: / Line 1: @@
-====== Management ======
-{{indexmenu_n>3}}
-In order to filter a traffic of some particular subscribers, or exclude filtering of transit traffic, or provide filtering to other operators as a service - you will need to activate Subscriber Management to control this service. Please add configuration parameter to the file /etc/dpi/fastdpi.conf to activate:
-<code>black_list_sm=1</code>
-As a result, this service is configured on level of individual subscribers by [[en:dpi:dpi_components:platform:subscriber_management:subsman_cmd:start|fdpi_ctrl]].
-Instruction format:
-<code>
-fdpi_ctrl command --service 4 [IP_list]
-</code>
-<note important>You can find more details on the instruction syntax and IP specification methods here: [[en:dpi:dpi_components:platform:subscriber_management:subsman_cmd:start|Control instructions]]</note>
-<note tip>When the service is activated, only TCP traffic is blocked. To block UDP traffic as well, you must [[en:dpi:dpi_options:opt_filtration:filtration_ctrl:start#configuring_tcp_and_udp_protocol_blocking|enable the]] ''[[en:dpi:dpi_options:opt_filtration:filtration_ctrl:start#configuring_tcp_and_udp_protocol_blocking|udp_block]]'' parameter.</note>
-Examples:
-Activate the service for all subscribers and switch filtering off for an administrator:
-<code>
-fdpi_ctrl load --service 4 --cidr 192.168.0.0/24
-fdpi_ctrl del --service 4 --ip 192.168.0.1
-</code>
-Enable the service for an independent system AS50538:
-<code>
-fdpi_ctrl load --service 4 --cidr 37.110.240.0/21 --cidr 109.235.216.0/21
-</code>
-Creating named profile and activating it to several subcribers
-<code>
-fdpi_ctrl load profile --service 4  --profile.name test_black --profile.json '{ "url_list" : "http://mysite.ru/myfile.bin" , "ip_list" : "http://mysite.ru/myfileip.bin", "cn_list" : "http://mysite.ru/myfilecn.bin", "redirect" : "http://mysite.ru/block", "federal" : 0 }'
-fdpi_ctrl load --service 4 --profile_name test_black --ip 192.168.0.1
-fdpi_ctrl load --service 4 --profile_name test_black --ip 192.168.0.2
-</code>
-here\\
-in json format sets folowing profiles' parameters\\
-redirect - web page to redirect to\\
-federal : 0/1/2/etc. using local athorities blacklist\\
-url_list - URL blacklist\\
-ip_list - IP:PORT  blacklist\\
-cn_list - Common Name blacklist
-Blacklist can be loaded from external source, like "http://mysite.ru/myfilecn.bin", or in a local file, like "cn_list" : "/tmp/cn_list.bin"
-Searching subscribers with named profile:
-<code>
-fdpi_ctrl list all --service 4 --profile.name test_black</code>
-Deleting subscribers with named profile (the named profile has no subscribers using it)
-<code>
-fdpi_ctrl del profile --service 4  --profile.name test_black
-</code>
-Changing parameters of named profile (new settings apply to all subscribers with the named profile)
-<code>
-fdpi_ctrl load profile --service 4 --profile.name test_black --profile.json '{ "url_list" : "http://mysite.ru/myfile.bin" , "ip_list" : "http://mysite.ru/myfileip.bin", "cn_list" : "http://mysite.ru/myfilecn.bin", "redirect" : "http://mysite.ru/block", "federal" : false }'
-</code>
-Maximum number of profiles for blacklist service is configuerd by a parameter in /etc/dpi/fastdpi.conf
-<code>
-max_profiles_black_list=64
-</code>
-here\\
-default value, 65535 maximum value\\
-<note warning>The parameter is applied after service restart.</note>
-=====Activation of IPv6 traffic blocking service=====
-Instruction format:
-<code bash>
-fdpi_ctrl команда --service 49 [options list] [list_IP or login]
-</code>
-<note important>You can find more details on the instruction syntax and IP specification methods here: [[en:dpi:dpi_components:platform:subscriber_management:subsman_cmd:start|Control instructions]]</note>
-Activate the service:
-<code bash>
-fdpi_ctrl load --service 49 --login DEMO
-</code>
-or
-<code bash>
-fdpi_ctrl load --service 49 --vchannel 1
-</code>
-<note tip>When the service is activated, only TCP traffic is blocked. To block UDP traffic as well, you must [[en:dpi:dpi_options:opt_filtration:filtration_ctrl:start#configuring_tcp_and_udp_protocol_blocking|enable the]] ''[[en:dpi:dpi_options:opt_filtration:filtration_ctrl:start#configuring_tcp_and_udp_protocol_blocking|udp_block]]'' parameter.</note>
-===== Configuring TCP and UDP protocol blocking =====
-The ''udp_block'' parameter is responsible for blocking the UDP protocol. If the DPI configuration file ''/etc/dpi/fastdpi.conf'' contains this parameter, then TCP+UDP blocking will take place, if not - only TCP will be blocked.
-To start blocking UDP protocols (e.g. QUIC), it is necessary to add the ''udp_block'' parameter to the configuration file with the value 2 or 3 (to start blocking after two or three packets have passed). Such values are set because there may be a large number of single packets that are not counted in the traffic, but may cause a heavy load on DPI.
-<code bash>
-udp_block=3
-</code>
-Adding a parameter does not require a DPI restart, just a reload:
-<code bash>
-service fastdpi reload
-</code>

Profile

Settings

Differences

Differences

What were you trying to find?