From owner-freebsd-current@FreeBSD.ORG Wed Aug 31 01:53:24 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5345116A41F for ; Wed, 31 Aug 2005 01:53:24 +0000 (GMT) (envelope-from maksim.yevmenkin@savvis.net) Received: from mta10.adelphia.net (mta10.adelphia.net [68.168.78.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id D2F2143D46 for ; Wed, 31 Aug 2005 01:53:23 +0000 (GMT) (envelope-from maksim.yevmenkin@savvis.net) Received: from [192.168.1.254] (really [70.32.199.60]) by mta10.adelphia.net (InterMail vM.6.01.04.01 201-2131-118-101-20041129) with ESMTP id <20050831015321.DZLW12165.mta10.adelphia.net@[192.168.1.254]>; Tue, 30 Aug 2005 21:53:21 -0400 Message-ID: <43150D94.8050502@savvis.net> Date: Tue, 30 Aug 2005 18:53:24 -0700 From: Maksim Yevmenkin User-Agent: Mozilla Thunderbird 0.7.1 (Windows/20040626) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jon Dama References: <20050831001504.B6E984E704@pipa.profix.cz> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-current@freebsd.org, dandee@volny.cz Subject: Re: Application layer firewall on FreeBSD, is it possible ? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2005 01:53:24 -0000 Jon Dama wrote: > I do not think this is possible with an existing "shrink-wrapped" > solution. yes, it is. take a look at netgraph(4). for example with ethernet interfaces you can connect userspace and/or application kernel module to "lower" and "upper" ng_ether(4) hooks and effectively look at every packet that goes in/out on the wire. max > > Though, one would expect that it would be a relatively trivial matter to > make a userland application from the linux application filter and then use > the tun/tap(4) driver. > > -Jon > > On Wed, 31 Aug 2005, [iso-8859-2] Daniel Dvoøák wrote: > > >>Okay, thank you for advise. Maybe I did not understand fully but ... >> >>... but you know, proxy is not what I am asking, proxy is not firewall. >> >>We do not need to restrict everything and all members. >> >>We like full routeable network with full access to IPv6 / IPv4 internet >>without any necessary action like configure proxy clients at all pc´s our >>members. >> >>We only want to deny only p2p applications by default for all pc´s >>regardless of used protocol/ports and to allow grantting access to p2p >>networks each members in individual way, because we have to prevent another >>letter from our ISP which was contacted by BSA that from our public IP ( >>from one member in private ip space ) ... traffic ... share ... violate ... >>authorial law. >> >>So of course it must be combination of IP and application osi model >>firewall. >> >>Gateway server should check all packets and their contents to decide if >>allowed or denied in fast way like l7-filter on Linux OS. >> >>So is it possible on FreeBSD OS ? >> >>Thanks >> >>Since my question here is not right like somebody told me, this is last >>e-mail in this mailling list for this theme, and I send it to >>freebsd-question, freebsd-ipfw and freebsd-pf mailling lists. >> >>Dan >> >>-----Original Message----- >>From: owner-freebsd-current@freebsd.org >>[mailto:owner-freebsd-current@freebsd.org] On Behalf Of Charles Swiger >>Sent: Tuesday, August 30, 2005 9:51 PM >>To: dandee@volny.cz >>Cc: freebsd-current@freebsd.org >>Subject: Re: Application layer firewall on FreeBSD, is it possible ? >> >>On Aug 30, 2005, at 2:58 PM, Daniel Dvoøák wrote: >> >>>let me ask you for task "how to control p2p applications and their >>>traffic with dynamic ports from user´s commputers on gateway". >>> >>>We are small wireless community and have shared access to internet for >>>all members. Core members decided to control p2p traffic by default >>>and to allow each person in individual way, after showing their >>>knowledge of authorial low. :) >>> >>>But since many dc hubs, edonkey servers, bittorents web trackers and >>>so on use dynamic not standard ports, how to control it ? >> >>Start with a "deny all" policy, and use L7 proxies like squid for the >>specific protocols like HTTP which you want to permit. If you're really >>serious about controlling the traffic, don't let your router talk to >>anything but your proxy server in order to be certain that the client >>machines have to go through that. >> >>-- >>-Chuck >> >>_______________________________________________ >>freebsd-current@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-current >>To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" >> >>_______________________________________________ >>freebsd-current@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-current >>To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" >> > > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"