Date: Sun, 27 Nov 2005 18:46:53 +0100 From: "Alexandre DELAY" <alexandre.delay@free.fr> To: "Chuck Swiger" <cswiger@mac.com> Cc: freebsd-ipfw@freebsd.org Subject: RE: Protocol filter capabilities Message-ID: <MAEBLPAGHGPMOKCBICBNCEONCIAA.alexandre.delay@free.fr> In-Reply-To: <438924EC.7000505@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Snort doesn't answer to such needs. It is not able to analyze application protocols such as BEEP or Edonkey. See: http://www.snort.org/docs/writing_rules/ filter application protocol based on ip/ports is not efficient. Some application are able to work on almost any port. cheers -----Message d'origine----- De : owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]De la part de Chuck Swiger Envoye : dimanche 27 novembre 2005 04:16 A : Alexandre DELAY Cc : freebsd-ipfw@freebsd.org Objet : Re: Protocol filter capabilities Alexandre DELAY wrote: > I am looking for an efficient way to filter different protocols, such as > edonkey or BEEP. For the moment, I think that ipfw doesn't support it. Sure it does. Start with "deny all" [1] and then add the minimum required open ports, preferably only for a proxy server that the clients are required to use for all outside access. Specificly, look at and combine the closed and simple firewall types in /etc/rc.firewall. You might also try to use bandwidth shaping to prioritize P2P behind more useful traffic like VOIP. > Don't you think that it would be a nice thing to be able to include such > "filters" from, for example, ethereal? > Ethereal support more than 34k different protocols. It woul be nice to be > able to choose from those filters and to apply some rules according to those > filters. You're talking about a reactive IDS. You can rig them up using scripts which monitor logfiles, or something like /usr/ports/security/snort. However, I prefer to use IDS for traffic I permit but want to monitor, not traffic I already know I want to block. -- -Chuck _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MAEBLPAGHGPMOKCBICBNCEONCIAA.alexandre.delay>