From owner-freebsd-pf@FreeBSD.ORG Wed Aug 31 13:30:00 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E6B216A41F for ; Wed, 31 Aug 2005 13:30:00 +0000 (GMT) (envelope-from nick@buraglio.com) Received: from mail.3gne.com (ded191-fbsd-174-39.netsonic.net [66.180.174.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 313DD43D45 for ; Wed, 31 Aug 2005 13:29:59 +0000 (GMT) (envelope-from nick@buraglio.com) Received: from localhost (localhost.3gne.com [127.0.0.1]) by mail.3gne.com (Postfix) with ESMTP id 59AA0D433C for ; Wed, 31 Aug 2005 08:29:59 -0500 (CDT) Received: from [192.168.209.9] (12-221-99-249.client.insightBB.com [12.221.99.249]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mail.3gne.com (Postfix) with ESMTP id 21CDCD428E for ; Wed, 31 Aug 2005 08:29:55 -0500 (CDT) Mime-Version: 1.0 (Apple Message framework v734) In-Reply-To: <20050831001634.63B2C4E704@pipa.profix.cz> References: <20050831001634.63B2C4E704@pipa.profix.cz> Content-Type: text/plain; charset=UTF-8; delsp=yes; format=flowed Message-Id: <98DDA057-48F4-4AE6-A1EB-9E32C9297BB2@buraglio.com> Content-Transfer-Encoding: quoted-printable From: Nick Buraglio Date: Wed, 31 Aug 2005 08:29:37 -0500 To: freebsd-pf@freebsd.org X-Mailer: Apple Mail (2.734) X-Virus-Scanned: by amavisd-new at 3gne.com Subject: Re: Application layer firewall on FreeBSD, is it possible ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2005 13:30:00 -0000 I think what the pf developers will tell you (and what I think is =20 correct) is that firewalling is meant for layer 3 and layer 7 is =20 meant to be proxied. I hear the l7 stuff for linux is somewhat of a =20 messy hack (although it does seem to work). I asked what they =20 thought of this a few years ago just out of curiosity and was =20 answered with some fairly good responses re: l7 filtering. At least =20 in regards to pf, I don't think it will ever be able to do it since =20 thats not really what it's for (again, though, I'm not a developer on =20= that project so I really have no idea of their roadmap). I'd =20 recommend a combination of snort2pf and transparent squid to start, =20 of course you can always use the linux stuff if you aren't opposed to =20= using linux. Check out snort2pf http://www.thinknerd.org/~ssc/wiki/doku.php?=20 id=3Dsnort2pf It should do what you want it to do. nb On Aug 30, 2005, at 7:16 PM, Daniel Dvo=C5=99=C3=A1k wrote: > ... but you know, proxy is not what I am asking, proxy is not =20 > firewall. > > We do not need to restrict everything and all members. > > We like full routeable network with full access to IPv6 / IPv4 =20 > internet > without any necessary action like configure proxy clients at all pc=20 > =C2=B4s our > members. > > We only want to deny only p2p applications by default for all pc=C2=B4s > regardless of used protocol/ports and to allow grantting access to p2p > networks each members in individual way, because we have to prevent =20= > another > letter from our ISP which was contacted by BSA that from our public =20= > IP ( > from one member in private ip space ) ... traffic ... share ... =20 > violate ... > authorial law. > > So of course it must be combination of IP and application osi model > firewall. > > Gateway server should check all packets and their contents to =20 > decide if > allowed or denied in fast way like l7-filter on Linux OS. > > So is it possible on FreeBSD OS ? > > Thanks > > Dan > > _____ > > From: Daniel Dvo=C5=99=C3=A1k [mailto:dandee@hellteam.net] > Sent: Wednesday, August 31, 2005 1:47 AM > To: 'freebsd-questions@freebsd.org'; 'freebsd-ipfw@freebsd.org'; > 'freebsd-pf@freebsd.org' > Subject: Application layer firewall on FreeBSD, is it possible ? > > > > Hi all, > > let me ask you for task "how to control p2p applications and their =20 > traffic > with dynamic ports from user=C2=B4s commputers on gateway". > > We are small wireless community and have shared access to internet =20 > for all > members. Core members decided to control p2p traffic by default and =20= > to allow > each person in individual way, after showing their knowledge of =20 > authorial > low. :) > > But since many dc hubs, edonkey servers, bittorents web trackers =20 > and so on > use dynamic not standard ports, how to control it ? > > Linux use l7-filter > sourceforge.net/projects/l7-filter sourceforge freeware and , it is =20= > based on > iptables, defination application protocols like ethereal project do. > > So, is there any way to do same application layer osi model =20 > firewall with > FreeBSD gateway ? > > Of course, I tried to find on web, I have not been successful in =20 > searching > so far. > > If my question is not right in this mailing list, if my question is =20= > annoying > here, so I am sorry. > > Dan > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >