On 6/1/05, Rog�rio Moura <[EMAIL PROTECTED]> wrote: > I like to know if PF can block packets by the content (type > patch-o-magic string of IPTABLES), because my network have connections > of skype and messenger, this programs use ports that are allowed in > the firewall, type 80, 443 and I not know how block this programs!!!!
This is not currently a function of 'pf', See /usr/ports/net/ngrep or http://snort-inline.sourceforge.net/ You may wish to review your policies -- both your firewall policy in pf, and your written acceptable usage policy (AUP) for your "customers". The specific problem of abusive programs abusing outbound open ports to run arbitrary protocols is a growing issue. The first step in addressing the issue to to lock down outbound connectivity. If you can force all legitimate HTTP/HTTPS traffic to use an explicit proxy, (HTTPS won't work through transproxy), you can just deny all outbound connections not processed through the proxy. Then it's just a question of how to configure your proxy to break skype, messenger, etc. Even after forcing all outbound sessions to be proxied and logged, you will run into protocols and tools that can sneak out through a proxy (AIM, Limewire, etc all can be configured to abuse a proxy gateway). Worst case, you'll have verbose logs of all outbound traffic that looks like web traffic, and you can solve the social problem of AUP enforcement through social means -- I recommend public hangings at dawn. Kevin Kadow
