From owner-freebsd-current@FreeBSD.ORG Tue Aug 30 19:50:52 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70EB316A41F for ; Tue, 30 Aug 2005 19:50:52 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id A939843D4C for ; Tue, 30 Aug 2005 19:50:51 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin07-en2 [10.13.10.152]) by smtpout.mac.com (Xserve/8.12.11/smtpout13/MantshX 4.0) with ESMTP id j7UJooTV025137; Tue, 30 Aug 2005 12:50:51 -0700 (PDT) Received: from [10.1.1.209] (nfw2.codefab.com [199.103.21.225] (may be forged)) (authenticated bits=0) by mac.com (Xserve/smtpin07/MantshX 4.0) with ESMTP id j7UJom6i022379; Tue, 30 Aug 2005 12:50:49 -0700 (PDT) In-Reply-To: <20050830185851.ECF554E704@pipa.profix.cz> References: <20050830185851.ECF554E704@pipa.profix.cz> Mime-Version: 1.0 (Apple Message framework v734) Content-Type: text/plain; charset=UTF-8; delsp=yes; format=flowed Message-Id: <8DC722F7-1946-4CE3-B4B9-A6F8624CE9A3@mac.com> Content-Transfer-Encoding: quoted-printable From: Charles Swiger Date: Tue, 30 Aug 2005 15:50:47 -0400 To: dandee@volny.cz X-Mailer: Apple Mail (2.734) Cc: freebsd-current@freebsd.org Subject: Re: Application layer firewall on FreeBSD, is it possible ? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Aug 2005 19:50:52 -0000 On Aug 30, 2005, at 2:58 PM, Daniel Dvo=C5=99=C3=A1k wrote: > let me ask you for task "how to control p2p applications and their =20 > traffic > with dynamic ports from user=C2=B4s commputers on gateway". > > We are small wireless community and have shared access to internet =20 > for all > members. Core members decided to control p2p traffic by default and =20= > to allow > each person in individual way, after showing their knowledge of =20 > authorial low. :) > > But since many dc hubs, edonkey servers, bittorents web trackers =20 > and so on > use dynamic not standard ports, how to control it ? Start with a "deny all" policy, and use L7 proxies like squid for the =20= specific protocols like HTTP which you want to permit. If you're =20 really serious about controlling the traffic, don't let your router =20 talk to anything but your proxy server in order to be certain that =20 the client machines have to go through that. --=20 -Chuck