Date: Wed, 31 Aug 2005 08:29:37 -0500 From: Nick Buraglio <nick@buraglio.com> To: freebsd-pf@freebsd.org Subject: Re: Application layer firewall on FreeBSD, is it possible ? Message-ID: <98DDA057-48F4-4AE6-A1EB-9E32C9297BB2@buraglio.com> In-Reply-To: <20050831001634.63B2C4E704@pipa.profix.cz> References: <20050831001634.63B2C4E704@pipa.profix.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
I think what the pf developers will tell you (and what I think is =20 correct) is that firewalling is meant for layer 3 and layer 7 is =20 meant to be proxied. I hear the l7 stuff for linux is somewhat of a =20 messy hack (although it does seem to work). I asked what they =20 thought of this a few years ago just out of curiosity and was =20 answered with some fairly good responses re: l7 filtering. At least =20 in regards to pf, I don't think it will ever be able to do it since =20 thats not really what it's for (again, though, I'm not a developer on =20= that project so I really have no idea of their roadmap). I'd =20 recommend a combination of snort2pf and transparent squid to start, =20 of course you can always use the linux stuff if you aren't opposed to =20= using linux. Check out snort2pf http://www.thinknerd.org/~ssc/wiki/doku.php?=20 id=3Dsnort2pf It should do what you want it to do. nb On Aug 30, 2005, at 7:16 PM, Daniel Dvo=C5=99=C3=A1k wrote: > ... but you know, proxy is not what I am asking, proxy is not =20 > firewall. > > We do not need to restrict everything and all members. > > We like full routeable network with full access to IPv6 / IPv4 =20 > internet > without any necessary action like configure proxy clients at all pc=20 > =C2=B4s our > members. > > We only want to deny only p2p applications by default for all pc=C2=B4s > regardless of used protocol/ports and to allow grantting access to p2p > networks each members in individual way, because we have to prevent =20= > another > letter from our ISP which was contacted by BSA that from our public =20= > IP ( > from one member in private ip space ) ... traffic ... share ... =20 > violate ... > authorial law. > > So of course it must be combination of IP and application osi model > firewall. > > Gateway server should check all packets and their contents to =20 > decide if > allowed or denied in fast way like l7-filter on Linux OS. > > So is it possible on FreeBSD OS ? > > Thanks > > Dan > > _____ > > From: Daniel Dvo=C5=99=C3=A1k [mailto:dandee@hellteam.net] > Sent: Wednesday, August 31, 2005 1:47 AM > To: 'freebsd-questions@freebsd.org'; 'freebsd-ipfw@freebsd.org'; > 'freebsd-pf@freebsd.org' > Subject: Application layer firewall on FreeBSD, is it possible ? > > > > Hi all, > > let me ask you for task "how to control p2p applications and their =20 > traffic > with dynamic ports from user=C2=B4s commputers on gateway". > > We are small wireless community and have shared access to internet =20 > for all > members. Core members decided to control p2p traffic by default and =20= > to allow > each person in individual way, after showing their knowledge of =20 > authorial > low. :) > > But since many dc hubs, edonkey servers, bittorents web trackers =20 > and so on > use dynamic not standard ports, how to control it ? > > Linux use l7-filter <http://sourceforge.net/projects/l7-filter>; > sourceforge.net/projects/l7-filter sourceforge freeware and , it is =20= > based on > iptables, defination application protocols like ethereal project do. > > So, is there any way to do same application layer osi model =20 > firewall with > FreeBSD gateway ? > > Of course, I tried to find on web, I have not been successful in =20 > searching > so far. > > If my question is not right in this mailing list, if my question is =20= > annoying > here, so I am sorry. > > Dan > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?98DDA057-48F4-4AE6-A1EB-9E32C9297BB2>