Date: Fri, 17 Jun 2005 17:16:37 -0300 From: Patrick Tracanelli <eksffa@freebsdbrasil.com.br> To: Chuck Swiger <cswiger@mac.com> Cc: freebsd-ipfw@freebsd.org, "Alexandre D." <alexandre.delay@free.fr>, Gilberto Villani Brito <linux@giboia.org> Subject: Re: Pipes. Message-ID: <42B32FA5.5000804@freebsdbrasil.com.br> In-Reply-To: <42B32B60.5060208@mac.com> References: <MAEBLPAGHGPMOKCBICBNMEDJCGAA.alexandre.delay@free.fr> <42B32B60.5060208@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chuck Swiger wrote: > Alexandre D. wrote: > >> The answer is not so easy. >> P2P is not only based on port numbers. >> The P2P detection is quite difficult, and maybe impossible. > > > Not at all. Start with "deny all", and only allow stuff through which > you really need to allow. Blocking all outbound client traffic and > requiring them to go through a proxy on the LAN is adequate. > >> My own position is that ipfw is not able to block P2P > > > Besides, the word was "control". You can shunt all high-priority stuff > (NTP, DNS, ICMP) into one queue, and put HTTP, FTP, 6667, etc on a > low-priority queue via dummynet, and/or adjust the permitted bandwidth. > I personally like this approach a lot. I think it should be the first way to try to do what you need with packets which you might need to "open" and "look inside" to check what kind of traffic it is. At a very least you will have a very organized gateway/fw/segment of network, with closed policy and services policy. It might avoid a number of future problems. My understanding is that a IP packet filter, as it states, should only do packet filtering. I dislike "general purpose" tools. Content analisys "picking the packet, looking at it to figure what kind of data/flow it is" should be managed by other kind of tools. Back to the question point, there is a program somehwere in the net which allows you to "ipfw divert" the traffic to it, which can later filter traffic based on contents/layer7. You can also use an IDS, say, snort, and make IPFW filter/pipe/queue traffic for you based on snort rules/matching. There is "SnortSam" which might fit your needs if you can have snort. I dont remeber the "divert based" program name or URL, Ill check on my bookmarks and post it later. -- Patrick Tracanelli FreeBSD Brasil LTDA. The FreeBSD pt_BR Documentation Project http://www.freebsdbrasil.com.br patrick @ freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42B32FA5.5000804>