I think what the pf developers will tell you (and what I think is
correct) is that firewalling is meant for layer 3 and layer 7 is
meant to be proxied. I hear the l7 stuff for linux is somewhat of a
messy hack (although it does seem to work). I asked what they
thought of this a few years ago just out of curiosity and was
answered with some fairly good responses re: l7 filtering. At least
in regards to pf, I don't think it will ever be able to do it since
thats not really what it's for (again, though, I'm not a developer on
that project so I really have no idea of their roadmap). I'd
recommend a combination of snort2pf and transparent squid to start,
of course you can always use the linux stuff if you aren't opposed to
using linux.
Check out snort2pf http://www.thinknerd.org/~ssc/wiki/doku.php?
id=snort2pf It should do what you want it to do.
nb
On Aug 30, 2005, at 7:16 PM, Daniel Dvořák wrote:
... but you know, proxy is not what I am asking, proxy is not
firewall.
We do not need to restrict everything and all members.
We like full routeable network with full access to IPv6 / IPv4
internet
without any necessary action like configure proxy clients at all pc
´s our
members.
We only want to deny only p2p applications by default for all pc´s
regardless of used protocol/ports and to allow grantting access to p2p
networks each members in individual way, because we have to prevent
another
letter from our ISP which was contacted by BSA that from our public
IP (
from one member in private ip space ) ... traffic ... share ...
violate ...
authorial law.
So of course it must be combination of IP and application osi model
firewall.
Gateway server should check all packets and their contents to
decide if
allowed or denied in fast way like l7-filter on Linux OS.
So is it possible on FreeBSD OS ?
Thanks
Dan
_____
From: Daniel Dvořák [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 31, 2005 1:47 AM
To: '[email protected]'; '[email protected]';
'[email protected]'
Subject: Application layer firewall on FreeBSD, is it possible ?
Hi all,
let me ask you for task "how to control p2p applications and their
traffic
with dynamic ports from user´s commputers on gateway".
We are small wireless community and have shared access to internet
for all
members. Core members decided to control p2p traffic by default and
to allow
each person in individual way, after showing their knowledge of
authorial
low. :)
But since many dc hubs, edonkey servers, bittorents web trackers
and so on
use dynamic not standard ports, how to control it ?
Linux use l7-filter <http://sourceforge.net/projects/l7-filter>
sourceforge.net/projects/l7-filter sourceforge freeware and , it is
based on
iptables, defination application protocols like ethereal project do.
So, is there any way to do same application layer osi model
firewall with
FreeBSD gateway ?
Of course, I tried to find on web, I have not been successful in
searching
so far.
If my question is not right in this mailing list, if my question is
annoying
here, so I am sorry.
Dan
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
