Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 Nov 2005 13:48:45 -0500
From:      Chuck Swiger <cswiger@mac.com>
To:        Alexandre DELAY <alexandre.delay@free.fr>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: Protocol filter capabilities
Message-ID:  <4389FF8D.6050806@mac.com>
In-Reply-To: <MAEBLPAGHGPMOKCBICBNCEONCIAA.alexandre.delay@free.fr>
References:  <MAEBLPAGHGPMOKCBICBNCEONCIAA.alexandre.delay@free.fr>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Alexandre DELAY wrote:
[ ...top-posting reformatted... ]
>>> Don't you think that it would be a nice thing to be able to include such
>>> "filters" from, for example, ethereal? Ethereal support more than 34k
>>> different protocols. It woul be nice to be able to choose from those
>>> filters and to apply some rules according to those filters.
>> 
>> You're talking about a reactive IDS. You can rig them up using scripts 
>> which monitor logfiles, or something like /usr/ports/security/snort.
>> 
>> However, I prefer to use IDS for traffic I permit but want to monitor, not
>> traffic I already know I want to block.
>
> Snort doesn't answer to such needs.
> It is not able to analyze application protocols such as BEEP or Edonkey.
> See: http://www.snort.org/docs/writing_rules/
> 
> filter application protocol based on ip/ports is not efficient. Some
> application are able to work on almost any port.

Snort is a tool.  It can be used to build an IDS and is well-suited for that 
task, but it is not intended to entirely replace a firewall.

It is true that P2P application protocols are very adaptive and are able to 
work via almost any port.  However, they do not work through a properly 
configured proxy using a "deny all" firewall in what is called a DMZ or 
screened subnet firewall architecture.

If your network is set up for this correctly, internal machines on the LAN will 
never be allowed to make external requests, at all (period); clients may even 
run without a default route set and without the firewall having NAT enabled.

-- 
-Chuck



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4389FF8D.6050806>