From owner-freebsd-security@FreeBSD.ORG  Tue Feb 24 08:07:50 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B867716A4CF
	for <freebsd-security@freebsd.org>;
	Tue, 24 Feb 2004 08:07:50 -0800 (PST)
Received: from sushi.rural-networks.com (sushi.rural-networks.com
	[62.128.181.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0A8E843D1D
	for <freebsd-security@freebsd.org>;
	Tue, 24 Feb 2004 08:07:47 -0800 (PST)
	(envelope-from c.prevotaux@hexanet.fr)
Received: from hexanet.fr (localhost.rural-networks.com [127.0.0.1])
	i1OG7Zew066658;	Tue, 24 Feb 2004 17:07:36 +0100 (CET)
	(envelope-from c.prevotaux@hexanet.fr)
Date: Tue, 24 Feb 2004 17:07:35 +0100
From: Christophe Prevotaux <c.prevotaux@hexanet.fr>
To: Richy Kim <rkim@sandvine.com>
Message-Id: <20040224170735.305df436.c.prevotaux@hexanet.fr>
In-Reply-To: <FE045D4D9F7AED4CBFF1B3B813C853370397699F@mail.sandvine.com>
References: <FE045D4D9F7AED4CBFF1B3B813C853370397699F@mail.sandvine.com>
Organization: HEXANET Sarl
X-Mailer: Sylpheed version 0.9.4 (GTK+ 1.2.10; i386-portbld-freebsd4.8)
X-NCC-RegID: fr.hexanet
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Wed, 25 Feb 2004 02:12:20 -0800
cc: freebsd-security@freebsd.org
cc: pons@gmx.li
Subject: Re: improve ipfw rules
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Feb 2004 16:07:51 -0000

AFAIK, 

It is impossible to truely block P2P traffic with any standard
firewalling system. It is the holy grail of ISPs these days.

I know of only one system that can do this effectively and it is
commercial http://www.qosmos.fr , as I have already stated in other
FreeBSD mailing list.

The way they do it , is by implementing a protocol analyser (on the fly 
analysis) that has protocol dictionaries and syntax , which can go up
in the layers and block on the fly any traffic that it has been specified
to block.

It is my hope that someday someone will step in and implement a similar
system under FreeBSD. But i think it requires quite a lot of work and possibly
major rebuilding of ipfw if it needs to be integrated (which would be great)

On Tue, 24 Feb 2004 10:09:24 -0500
Richy Kim <rkim@sandvine.com> wrote:

> >> 3. I'm intrested in blocking kazaa/P2P trafic with IPFW any help in this
> issue
> you could possibly block connections at known p2p ports.
> deny tcp from any to any 6699 step
> but most of the newer protocols use dynamic ports and in turn, are
> configurable. 
> so ipfw isn't exactly ideal on it's own for this.
> 
> -r.
> 

--
===============================================================
Christophe Prevotaux              
===============================================================