From owner-freebsd-current@FreeBSD.ORG Wed Aug 31 00:14:58 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBC2D16A41F for ; Wed, 31 Aug 2005 00:14:58 +0000 (GMT) (envelope-from dandee@hellteam.net) Received: from pipa.profix.cz (server1.pcsvet.net [82.208.25.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C30543D45 for ; Wed, 31 Aug 2005 00:14:58 +0000 (GMT) (envelope-from dandee@hellteam.net) Received: from localhost (localhost [127.0.0.1]) by pipa.profix.cz (Postfix) with ESMTP id F3C2E4E706; Wed, 31 Aug 2005 02:15:04 +0200 (CEST) Received: from pipa.profix.cz ([127.0.0.1]) by localhost (pipa [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22951-05; Wed, 31 Aug 2005 02:15:04 +0200 (CEST) Received: from gandalf (unknown [80.95.121.105]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by pipa.profix.cz (Postfix) with ESMTP id B6E984E704; Wed, 31 Aug 2005 02:15:04 +0200 (CEST) From: =?iso-8859-2?Q?Daniel_Dvo=F8=E1k?= To: "'Charles Swiger'" , Date: Wed, 31 Aug 2005 02:14:56 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <8DC722F7-1946-4CE3-B4B9-A6F8624CE9A3@mac.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Thread-Index: AcWtnCsgVOYOP21DQTaIhujIuXWA5AAIZ/yQ Message-Id: <20050831001504.B6E984E704@pipa.profix.cz> X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at profix.cz Cc: freebsd-current@freebsd.org Subject: RE: Application layer firewall on FreeBSD, is it possible ? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dandee@volny.cz List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2005 00:14:59 -0000 Okay, thank you for advise. Maybe I did not understand fully but ... ... but you know, proxy is not what I am asking, proxy is not firewall. We do not need to restrict everything and all members. We like full routeable network with full access to IPv6 / IPv4 internet without any necessary action like configure proxy clients at all pc=B4s = our members. We only want to deny only p2p applications by default for all pc=B4s regardless of used protocol/ports and to allow grantting access to p2p networks each members in individual way, because we have to prevent = another letter from our ISP which was contacted by BSA that from our public IP ( from one member in private ip space ) ... traffic ... share ... violate = ... authorial law.=20 So of course it must be combination of IP and application osi model firewall. Gateway server should check all packets and their contents to decide if allowed or denied in fast way like l7-filter on Linux OS. So is it possible on FreeBSD OS ? Thanks Since my question here is not right like somebody told me, this is last e-mail in this mailling list for this theme, and I send it to freebsd-question, freebsd-ipfw and freebsd-pf mailling lists. Dan -----Original Message----- From: owner-freebsd-current@freebsd.org [mailto:owner-freebsd-current@freebsd.org] On Behalf Of Charles Swiger Sent: Tuesday, August 30, 2005 9:51 PM To: dandee@volny.cz Cc: freebsd-current@freebsd.org Subject: Re: Application layer firewall on FreeBSD, is it possible ? On Aug 30, 2005, at 2:58 PM, Daniel Dvo=F8=E1k wrote: > let me ask you for task "how to control p2p applications and their=20 > traffic with dynamic ports from user=B4s commputers on gateway". > > We are small wireless community and have shared access to internet for = > all members. Core members decided to control p2p traffic by default=20 > and to allow each person in individual way, after showing their=20 > knowledge of authorial low. :) > > But since many dc hubs, edonkey servers, bittorents web trackers and=20 > so on use dynamic not standard ports, how to control it ? Start with a "deny all" policy, and use L7 proxies like squid for the specific protocols like HTTP which you want to permit. If you're really serious about controlling the traffic, don't let your router talk to anything but your proxy server in order to be certain that the client machines have to go through that. -- -Chuck _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to = "freebsd-current-unsubscribe@freebsd.org"