From owner-freebsd-current@FreeBSD.ORG Wed Aug 31 01:56:45 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5CF0516A41F for ; Wed, 31 Aug 2005 01:56:45 +0000 (GMT) (envelope-from jd@ugcs.caltech.edu) Received: from riyal.ugcs.caltech.edu (riyal.ugcs.caltech.edu [131.215.176.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BEE943D45 for ; Wed, 31 Aug 2005 01:56:45 +0000 (GMT) (envelope-from jd@ugcs.caltech.edu) Received: by riyal.ugcs.caltech.edu (Postfix, from userid 3640) id 0538B45804; Tue, 30 Aug 2005 18:56:43 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by riyal.ugcs.caltech.edu (Postfix) with ESMTP id A8AB145802; Tue, 30 Aug 2005 18:56:43 -0700 (PDT) Date: Tue, 30 Aug 2005 18:56:43 -0700 (PDT) From: Jon Dama To: Maksim Yevmenkin In-Reply-To: <43150D94.8050502@savvis.net> Message-ID: References: <20050831001504.B6E984E704@pipa.profix.cz> <43150D94.8050502@savvis.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Cc: freebsd-current@freebsd.org, dandee@volny.cz Subject: Re: Application layer firewall on FreeBSD, is it possible ? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2005 01:56:45 -0000 Um, how is that effectively different than my recommendation that he build something around tun/tap(4)? It seems to me that you are saying essentially the same thing. -Jon On Tue, 30 Aug 2005, Maksim Yevmenkin wrote: > Jon Dama wrote: > > I do not think this is possible with an existing "shrink-wrapped" > > solution. > > yes, it is. take a look at netgraph(4). for example with ethernet > interfaces you can connect userspace and/or application kernel module to > "lower" and "upper" ng_ether(4) hooks and effectively look at every > packet that goes in/out on the wire. > > max > > > > > Though, one would expect that it would be a relatively trivial matter t= o > > make a userland application from the linux application filter and then = use > > the tun/tap(4) driver. > > > > -Jon > > > > On Wed, 31 Aug 2005, [iso-8859-2] Daniel Dvo=F8=E1k wrote: > > > > > >>Okay, thank you for advise. Maybe I did not understand fully but ... > >> > >>... but you know, proxy is not what I am asking, proxy is not firewall. > >> > >>We do not need to restrict everything and all members. > >> > >>We like full routeable network with full access to IPv6 / IPv4 internet > >>without any necessary action like configure proxy clients at all pc=B4s= our > >>members. > >> > >>We only want to deny only p2p applications by default for all pc=B4s > >>regardless of used protocol/ports and to allow grantting access to p2p > >>networks each members in individual way, because we have to prevent ano= ther > >>letter from our ISP which was contacted by BSA that from our public IP = ( > >>from one member in private ip space ) ... traffic ... share ... violate= ... > >>authorial law. > >> > >>So of course it must be combination of IP and application osi model > >>firewall. > >> > >>Gateway server should check all packets and their contents to decide if > >>allowed or denied in fast way like l7-filter on Linux OS. > >> > >>So is it possible on FreeBSD OS ? > >> > >>Thanks > >> > >>Since my question here is not right like somebody told me, this is last > >>e-mail in this mailling list for this theme, and I send it to > >>freebsd-question, freebsd-ipfw and freebsd-pf mailling lists. > >> > >>Dan > >> > >>-----Original Message----- > >>From: owner-freebsd-current@freebsd.org > >>[mailto:owner-freebsd-current@freebsd.org] On Behalf Of Charles Swiger > >>Sent: Tuesday, August 30, 2005 9:51 PM > >>To: dandee@volny.cz > >>Cc: freebsd-current@freebsd.org > >>Subject: Re: Application layer firewall on FreeBSD, is it possible ? > >> > >>On Aug 30, 2005, at 2:58 PM, Daniel Dvo=F8=E1k wrote: > >> > >>>let me ask you for task "how to control p2p applications and their > >>>traffic with dynamic ports from user=B4s commputers on gateway". > >>> > >>>We are small wireless community and have shared access to internet for > >>>all members. Core members decided to control p2p traffic by default > >>>and to allow each person in individual way, after showing their > >>>knowledge of authorial low. :) > >>> > >>>But since many dc hubs, edonkey servers, bittorents web trackers and > >>>so on use dynamic not standard ports, how to control it ? > >> > >>Start with a "deny all" policy, and use L7 proxies like squid for the > >>specific protocols like HTTP which you want to permit. If you're reall= y > >>serious about controlling the traffic, don't let your router talk to > >>anything but your proxy server in order to be certain that the client > >>machines have to go through that. > >> > >>-- > >>-Chuck > >> > >>_______________________________________________ > >>freebsd-current@freebsd.org mailing list > >>http://lists.freebsd.org/mailman/listinfo/freebsd-current > >>To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.o= rg" > >> > >>_______________________________________________ > >>freebsd-current@freebsd.org mailing list > >>http://lists.freebsd.org/mailman/listinfo/freebsd-current > >>To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.o= rg" > >> > > > > _______________________________________________ > > freebsd-current@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-current > > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.o= rg" >