From owner-freebsd-current@FreeBSD.ORG  Wed Aug 31 00:44:14 2005
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
X-Original-To: freebsd-current@freebsd.org
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BCFFD16A41F
	for <freebsd-current@freebsd.org>; Wed, 31 Aug 2005 00:44:14 +0000 (GMT)
	(envelope-from jd@ugcs.caltech.edu)
Received: from riyal.ugcs.caltech.edu (riyal.ugcs.caltech.edu
	[131.215.176.123])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 72CE443D45
	for <freebsd-current@freebsd.org>; Wed, 31 Aug 2005 00:44:14 +0000 (GMT)
	(envelope-from jd@ugcs.caltech.edu)
Received: by riyal.ugcs.caltech.edu (Postfix, from userid 3640)
	id 573EE45804; Tue, 30 Aug 2005 17:44:12 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by riyal.ugcs.caltech.edu (Postfix) with ESMTP
	id D3AEA45802; Tue, 30 Aug 2005 17:44:12 -0700 (PDT)
Date: Tue, 30 Aug 2005 17:44:12 -0700 (PDT)
From: Jon Dama <jd@ugcs.caltech.edu>
To: dandee@volny.cz
In-Reply-To: <20050831001504.B6E984E704@pipa.profix.cz>
Message-ID: <Pine.LNX.4.53.0508301741230.20467@riyal.ugcs.caltech.edu>
References: <20050831001504.B6E984E704@pipa.profix.cz>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=iso-8859-2
Content-Transfer-Encoding: QUOTED-PRINTABLE
Cc: freebsd-current@freebsd.org
Subject: RE: Application layer firewall on FreeBSD, is it possible ?
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Aug 2005 00:44:14 -0000

I do not think this is possible with an existing "shrink-wrapped"
solution.

Though, one would expect that it would be a relatively trivial matter to
make a userland application from the linux application filter and then use
the tun/tap(4) driver.

-Jon

On Wed, 31 Aug 2005, [iso-8859-2] Daniel Dvo=F8=E1k wrote:

> Okay, thank you for advise. Maybe I did not understand fully but ...
>
> ... but you know, proxy is not what I am asking, proxy is not firewall.
>
> We do not need to restrict everything and all members.
>
> We like full routeable network with full access to IPv6 / IPv4 internet
> without any necessary action like configure proxy clients at all pc=B4s o=
ur
> members.
>
> We only want to deny only p2p applications by default for all pc=B4s
> regardless of used protocol/ports and to allow grantting access to p2p
> networks each members in individual way, because we have to prevent anoth=
er
> letter from our ISP which was contacted by BSA that from our public IP (
> from one member in private ip space ) ... traffic ... share ... violate .=
=2E.
> authorial law.
>
> So of course it must be combination of IP and application osi model
> firewall.
>
> Gateway server should check all packets and their contents to decide if
> allowed or denied in fast way like l7-filter on Linux OS.
>
> So is it possible on FreeBSD OS ?
>
> Thanks
>
> Since my question here is not right like somebody told me, this is last
> e-mail in this mailling list for this theme, and I send it to
> freebsd-question, freebsd-ipfw and freebsd-pf mailling lists.
>
> Dan
>
> -----Original Message-----
> From: owner-freebsd-current@freebsd.org
> [mailto:owner-freebsd-current@freebsd.org] On Behalf Of Charles Swiger
> Sent: Tuesday, August 30, 2005 9:51 PM
> To: dandee@volny.cz
> Cc: freebsd-current@freebsd.org
> Subject: Re: Application layer firewall on FreeBSD, is it possible ?
>
> On Aug 30, 2005, at 2:58 PM, Daniel Dvo=F8=E1k wrote:
> > let me ask you for task "how to control p2p applications and their
> > traffic with dynamic ports from user=B4s commputers on gateway".
> >
> > We are small wireless community and have shared access to internet for
> > all members. Core members decided to control p2p traffic by default
> > and to allow each person in individual way, after showing their
> > knowledge of authorial low. :)
> >
> > But since many dc hubs, edonkey servers, bittorents web trackers and
> > so on use dynamic not standard ports, how to control it ?
>
> Start with a "deny all" policy, and use L7 proxies like squid for the
> specific protocols like HTTP which you want to permit.  If you're really
> serious about controlling the traffic, don't let your router talk to
> anything but your proxy server in order to be certain that the client
> machines have to go through that.
>
> --
> -Chuck
>
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org=
"
>
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org=
"
>