This is an old revision of the document!
Management
In order to filter a traffic of some particular subscribers, or exclude filtering of transit traffic, or provide filtering to other operators as a service - you will need to activate Subscriber Management to control this service. Please add configuration parameter to the file /etc/dpi/fastdpi.conf to activate:
black_list_sm=1
As a result, this service is configured on level of individual subscribers by fdpi_ctrl.
Instruction format:
fdpi_ctrl command --service 4 [IP_list]
udp_blockparameter.
Examples:
Activate the service for all subscribers and switch filtering off for an administrator:
fdpi_ctrl load --service 4 --cidr 192.168.0.0/24 fdpi_ctrl del --service 4 --ip 192.168.0.1
Enable the service for an independent system AS50538:
fdpi_ctrl load --service 4 --cidr 37.110.240.0/21 --cidr 109.235.216.0/21
Creating named profile and activating it to several subcribers
fdpi_ctrl load profile --service 4 --profile.name test_black --profile.json '{ "url_list" : "http://mysite.ru/myfile.bin" , "ip_list" : "http://mysite.ru/myfileip.bin", "cn_list" : "http://mysite.ru/myfilecn.bin", "redirect" : "http://mysite.ru/block", "federal" : 0 }'
fdpi_ctrl load --service 4 --profile_name test_black --ip 192.168.0.1
fdpi_ctrl load --service 4 --profile_name test_black --ip 192.168.0.2
here
in json format sets folowing profiles' parameters
redirect - web page to redirect to
federal : 0/1/2/etc. using local athorities blacklist
url_list - URL blacklist
ip_list - IP:PORT blacklist
cn_list - Common Name blacklist
Blacklist can be loaded from external source, like "http://mysite.ru/myfilecn.bin", or in a local file, like "cn_list" : "/tmp/cn_list.bin"
Searching subscribers with named profile:
fdpi_ctrl list all --service 4 --profile.name test_black
Deleting subscribers with named profile (the named profile has no subscribers using it)
fdpi_ctrl del profile --service 4 --profile.name test_black
Changing parameters of named profile (new settings apply to all subscribers with the named profile)
fdpi_ctrl load profile --service 4 --profile.name test_black --profile.json '{ "url_list" : "http://mysite.ru/myfile.bin" , "ip_list" : "http://mysite.ru/myfileip.bin", "cn_list" : "http://mysite.ru/myfilecn.bin", "redirect" : "http://mysite.ru/block", "federal" : false }'
Maximum number of profiles for blacklist service is configuerd by a parameter in /etc/dpi/fastdpi.conf
max_profiles_black_list=64
here
64 default value, 65535 maximum value
Activation of IPv6 traffic blocking service
Instruction format:
fdpi_ctrl команда --service 49 [список опций] [список_IP или login]
Activate the service:
fdpi_ctrl load --service 49 --login DEMO
or
fdpi_ctrl load --service 49 --vchannel 1
udp_blockparameter.
Configuring TCP and UDP protocol blocking
The udp_block parameter is responsible for blocking the UDP protocol. If the DPI configuration file /etc/dpi/fastdpi.conf contains this parameter, then TCP+UDP blocking will take place, if not - only TCP will be blocked.
To start blocking UDP protocols (e.g. QUIC), it is necessary to add the udp_block parameter to the configuration file with the value 2 or 3 (to start blocking after two or three packets have passed). Such values are set because there may be a large number of single packets that are not counted in the traffic, but may cause a heavy load on DPI.
udp_block=3
Adding a parameter does not require a DPI restart, just a reload:
service fastdpi reload