From owner-freebsd-current@FreeBSD.ORG Wed Aug 31 11:19:10 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 584E116A41F for ; Wed, 31 Aug 2005 11:19:10 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [204.156.12.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FC7F43D45 for ; Wed, 31 Aug 2005 11:19:10 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by cyrus.watson.org (Postfix) with ESMTP id AAD9F46B23; Wed, 31 Aug 2005 07:19:09 -0400 (EDT) Date: Wed, 31 Aug 2005 12:19:09 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: dandee@volny.cz In-Reply-To: <20050830185851.ECF554E704@pipa.profix.cz> Message-ID: <20050831121627.J39418@fledge.watson.org> References: <20050830185851.ECF554E704@pipa.profix.cz> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1143843103-1125487149=:39418" Cc: freebsd-current@freebsd.org Subject: Re: Application layer firewall on FreeBSD, is it possible ? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2005 11:19:10 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1143843103-1125487149=:39418 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Tue, 30 Aug 2005, [iso-8859-2] Daniel Dvo?=E1k wrote: > So, is there any way to do same application layer osi model firewall=20 > with FreeBSD gateway ? > > Of course, I tried to find on web, I have not been successful in=20 > searching so far. > > If my question is not right in this mailing list, if my question is=20 > annoying here, so I am sorry. I can't speak to the details of the environment or protocols, but you=20 might take a look at "ipfw fwd", which allows you to locally intercept=20 wide area network TCP connections passing through an IP router. This can= =20 be used for things like transparent proxy caching, transparent firewalls,= =20 and so on. ipfw(8) contains some details, but I've not played with it=20 myself so I can't tell you much more than that it looks like applications= =20 can simply bind a TCP port, and then you can use ipfw fwd to redirect=20 connections to it. I'm not sure how well ICMP is handled. Robert N M Watson --0-1143843103-1125487149=:39418--