From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 27 18:56:08 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 69B9C16A41F for ; Sun, 27 Nov 2005 18:56:08 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from smtp5-g19.free.fr (smtp5-g19.free.fr [212.27.42.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D3B043D5E for ; Sun, 27 Nov 2005 18:56:07 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from Cerbere-de-Troyes.cerbere23.com (eur10-1-82-241-181-23.fbx.proxad.net [82.241.181.23]) by smtp5-g19.free.fr (Postfix) with ESMTP id 99D3296A7; Sun, 27 Nov 2005 19:56:06 +0100 (CET) Received: from artemis ([192.168.2.2]) by Cerbere-de-Troyes.cerbere23.com (8.13.3/8.13.3) with SMTP id jARIu5vp039837; Sun, 27 Nov 2005 19:56:05 +0100 (CET) (envelope-from alexandre.delay@free.fr) From: "Alexandre DELAY" To: "Chuck Swiger" Date: Sun, 27 Nov 2005 19:56:09 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <4389FF8D.6050806@mac.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Cc: freebsd-ipfw@freebsd.org Subject: RE: Protocol filter capabilities X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Nov 2005 18:56:08 -0000 I agree with you, but my aim is not to block traffic between my internal network and the Internet. I only want to filter (not block) certain protocols. I found a nice tool for this: http://freebsd.rogness.net/snort_inline/ -----Message d'origine----- De : owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]De la part de Chuck Swiger Envoye : dimanche 27 novembre 2005 19:49 A : Alexandre DELAY Cc : freebsd-ipfw@freebsd.org Objet : Re: Protocol filter capabilities Alexandre DELAY wrote: [ ...top-posting reformatted... ] >>> Don't you think that it would be a nice thing to be able to include such >>> "filters" from, for example, ethereal? Ethereal support more than 34k >>> different protocols. It woul be nice to be able to choose from those >>> filters and to apply some rules according to those filters. >> >> You're talking about a reactive IDS. You can rig them up using scripts >> which monitor logfiles, or something like /usr/ports/security/snort. >> >> However, I prefer to use IDS for traffic I permit but want to monitor, not >> traffic I already know I want to block. > > Snort doesn't answer to such needs. > It is not able to analyze application protocols such as BEEP or Edonkey. > See: http://www.snort.org/docs/writing_rules/ > > filter application protocol based on ip/ports is not efficient. Some > application are able to work on almost any port. Snort is a tool. It can be used to build an IDS and is well-suited for that task, but it is not intended to entirely replace a firewall. It is true that P2P application protocols are very adaptive and are able to work via almost any port. However, they do not work through a properly configured proxy using a "deny all" firewall in what is called a DMZ or screened subnet firewall architecture. If your network is set up for this correctly, internal machines on the LAN will never be allowed to make external requests, at all (period); clients may even run without a default route set and without the firewall having NAT enabled. -- -Chuck _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"