Date: Wed, 31 Aug 2005 08:29:37 -0500 From: Nick Buraglio <nick@buraglio.com> To: freebsd-pf@freebsd.org Subject: Re: Application layer firewall on FreeBSD, is it possible ? Message-ID: <98DDA057-48F4-4AE6-A1EB-9E32C9297BB2@buraglio.com> In-Reply-To: <20050831001634.63B2C4E704@pipa.profix.cz> References: <20050831001634.63B2C4E704@pipa.profix.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
I think what the pf developers will tell you (and what I think is correct) is that firewalling is meant for layer 3 and layer 7 is meant to be proxied. I hear the l7 stuff for linux is somewhat of a messy hack (although it does seem to work). I asked what they thought of this a few years ago just out of curiosity and was answered with some fairly good responses re: l7 filtering. At least in regards to pf, I don't think it will ever be able to do it since thats not really what it's for (again, though, I'm not a developer on that project so I really have no idea of their roadmap). I'd recommend a combination of snort2pf and transparent squid to start, of course you can always use the linux stuff if you aren't opposed to using linux. Check out snort2pf http://www.thinknerd.org/~ssc/wiki/doku.php? id=snort2pf It should do what you want it to do. nb On Aug 30, 2005, at 7:16 PM, Daniel Dvořák wrote: > ... but you know, proxy is not what I am asking, proxy is not > firewall. > > We do not need to restrict everything and all members. > > We like full routeable network with full access to IPv6 / IPv4 > internet > without any necessary action like configure proxy clients at all pc > ´s our > members. > > We only want to deny only p2p applications by default for all pc´s > regardless of used protocol/ports and to allow grantting access to p2p > networks each members in individual way, because we have to prevent > another > letter from our ISP which was contacted by BSA that from our public > IP ( > from one member in private ip space ) ... traffic ... share ... > violate ... > authorial law. > > So of course it must be combination of IP and application osi model > firewall. > > Gateway server should check all packets and their contents to > decide if > allowed or denied in fast way like l7-filter on Linux OS. > > So is it possible on FreeBSD OS ? > > Thanks > > Dan > > _____ > > From: Daniel Dvořák [mailto:dandee@hellteam.net] > Sent: Wednesday, August 31, 2005 1:47 AM > To: 'freebsd-questions@freebsd.org'; 'freebsd-ipfw@freebsd.org'; > 'freebsd-pf@freebsd.org' > Subject: Application layer firewall on FreeBSD, is it possible ? > > > > Hi all, > > let me ask you for task "how to control p2p applications and their > traffic > with dynamic ports from user´s commputers on gateway". > > We are small wireless community and have shared access to internet > for all > members. Core members decided to control p2p traffic by default and > to allow > each person in individual way, after showing their knowledge of > authorial > low. :) > > But since many dc hubs, edonkey servers, bittorents web trackers > and so on > use dynamic not standard ports, how to control it ? > > Linux use l7-filter <http://sourceforge.net/projects/l7-filter>; > sourceforge.net/projects/l7-filter sourceforge freeware and , it is > based on > iptables, defination application protocols like ethereal project do. > > So, is there any way to do same application layer osi model > firewall with > FreeBSD gateway ? > > Of course, I tried to find on web, I have not been successful in > searching > so far. > > If my question is not right in this mailing list, if my question is > annoying > here, so I am sorry. > > Dan > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?98DDA057-48F4-4AE6-A1EB-9E32C9297BB2>