From owner-freebsd-questions@FreeBSD.ORG Wed Aug 31 12:44:00 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D07316A41F for ; Wed, 31 Aug 2005 12:44:00 +0000 (GMT) (envelope-from freebsd@meijome.net) Received: from sigma.octantis.com.au (ns2.octantis.com.au [207.44.189.124]) by mx1.FreeBSD.org (Postfix) with ESMTP id EAF8E43D49 for ; Wed, 31 Aug 2005 12:43:59 +0000 (GMT) (envelope-from freebsd@meijome.net) Received: (qmail 6543 invoked from network); 31 Aug 2005 22:43:59 +1000 Received: from 203-217-79-78.dyn.iinet.net.au (HELO ?192.168.13.3?) (203.217.79.78) by sigma.octantis.com.au with (DHE-RSA-AES256-SHA encrypted) SMTP; 31 Aug 2005 22:43:59 +1000 Message-ID: <4315A60A.40002@meijome.net> Date: Wed, 31 Aug 2005 22:43:54 +1000 From: Norberto Meijome User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20050830234717.3D5E14E704@pipa.profix.cz> In-Reply-To: <20050830234717.3D5E14E704@pipa.profix.cz> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: Application layer firewall on FreeBSD, is it possible ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2005 12:44:00 -0000 hey, Daniel Dvořák wrote: > We are small wireless community and have shared access to internet for all > members. Core members decided to control p2p traffic by default and to allow > each person in individual way, after showing their knowledge of authorial > low. :) I think you mean copyright law. > > But since many dc hubs, edonkey servers, bittorents web trackers and so on > use dynamic not standard ports, how to control it ? I havent seen any way to control traffic for P2P apps reliably @ the protocol layer, u need to inspect it. Something like snort attached to your firewall, i guess ... though it'd be a reverse IDS (or a reverse IPS, intrusion prevention system, I've seen it called...) a quick search in ports for ids shows: /net/libnids /security/libprelude and other prelude related ports /security/snortms and other snort related ports > > Linux use l7-filter > sourceforge.net/projects/l7-filter sourceforge freeware and , it is based on > iptables, defination application protocols like ethereal project do. right - so something like applying ethereal rules to the output of tcpdump and updating the rules in realtime...mind you, many of these apps/protocols are extremely flexible, they'll change how they connect very fast, which will put the load on your firewall > So, is there any way to do same application layer osi model firewall with > FreeBSD gateway ? i dont see why not...though it's obvious I'm not sure how :) please share the answer when you find it :)