RE: Application layer firewall on FreeBSD, is it possible ?

From: Jon Dama (jd_at_ugcs.caltech.edu)
Date: 08/31/05

  • Next message: Daniel O'Connor: "Re: Odd performance problem (hitching)" 
    Date: Tue, 30 Aug 2005 17:44:12 -0700 (PDT)
To: dandee@volny.cz

    I do not think this is possible with an existing "shrink-wrapped"
    solution.

    Though, one would expect that it would be a relatively trivial matter to
    make a userland application from the linux application filter and then use
    the tun/tap(4) driver.

    -Jon

    On Wed, 31 Aug 2005, [iso-8859-2] Daniel Dvoøák wrote:

    > Okay, thank you for advise. Maybe I did not understand fully but ...
    >
    > ... but you know, proxy is not what I am asking, proxy is not firewall.
    >
    > We do not need to restrict everything and all members.
    >
    > We like full routeable network with full access to IPv6 / IPv4 internet
    > without any necessary action like configure proxy clients at all pc´s our
    > members.
    >
    > We only want to deny only p2p applications by default for all pc´s
    > regardless of used protocol/ports and to allow grantting access to p2p
    > networks each members in individual way, because we have to prevent another
    > letter from our ISP which was contacted by BSA that from our public IP (
    > from one member in private ip space ) ... traffic ... share ... violate ...
    > authorial law.
    >
    > So of course it must be combination of IP and application osi model
    > firewall.
    >
    > Gateway server should check all packets and their contents to decide if
    > allowed or denied in fast way like l7-filter on Linux OS.
    >
    > So is it possible on FreeBSD OS ?
    >
    > Thanks
    >
    > Since my question here is not right like somebody told me, this is last
    > e-mail in this mailling list for this theme, and I send it to
    > freebsd-question, freebsd-ipfw and freebsd-pf mailling lists.
    >
    > Dan
    >
    > -----Original Message-----
    > From: owner-freebsd-current@freebsd.org
    > [mailto:owner-freebsd-current@freebsd.org] On Behalf Of Charles Swiger
    > Sent: Tuesday, August 30, 2005 9:51 PM
    > To: dandee@volny.cz
    > Cc: freebsd-current@freebsd.org
    > Subject: Re: Application layer firewall on FreeBSD, is it possible ?
    >
    > On Aug 30, 2005, at 2:58 PM, Daniel Dvoøák wrote:
    > > let me ask you for task "how to control p2p applications and their
    > > traffic with dynamic ports from user´s commputers on gateway".
    > >
    > > We are small wireless community and have shared access to internet for
    > > all members. Core members decided to control p2p traffic by default
    > > and to allow each person in individual way, after showing their
    > > knowledge of authorial low. :)
    > >
    > > But since many dc hubs, edonkey servers, bittorents web trackers and
    > > so on use dynamic not standard ports, how to control it ?
    >
    > Start with a "deny all" policy, and use L7 proxies like squid for the
    > specific protocols like HTTP which you want to permit. If you're really
    > serious about controlling the traffic, don't let your router talk to
    > anything but your proxy server in order to be certain that the client
    > machines have to go through that.
    >
    > --
    > -Chuck
    >
    > _______________________________________________
    > freebsd-current@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-current
    > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
    >
    > _______________________________________________
    > freebsd-current@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-current
    > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
    >
    _______________________________________________
    freebsd-current@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-current
    To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"

  • Next message: Daniel O'Connor: "Re: Odd performance problem (hitching)"

    Relevant Pages

    • Re: ISA Server Problems, please help
      ... Based on the rules you have listed, SecureNAT clients should only be allowed ... The All access rule for SBS Internet Users ... Web Proxy and/or Firewall Client ... > header to the publishing server instead of the actual one. ...
      (microsoft.public.windows.server.sbs)
    • RE: Simple ISA 2004 questions
      ... You'd better create a new GPO for IE proxy, ... Run "gpmc.msc" in SBS server, ... ISA Server 2004 Query can give you some help. ... In the Microsoft Internet Security and Acceleration Server 2004 console, ...
      (microsoft.public.windows.server.sbs)
    • Re: 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED bei 2 Servern von 6
      ... Ich habe mir nun auf einem Server, der sich bei MS Updateservices bedienen konnte, WSUS installiert. ... Log Time Client IP Destination IP Destination Port Protocol Action Rule Client Username Source Network Destination Network HTTP Method URL Error Information HTTP Status Code Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy ... Connection Unrestricted Internet access anonymous Internal External HEAD ...
      (microsoft.public.de.german.isaserver)
    • Re: Trend Micro and Proxy Server
      ... Access is from server console. ... ' under the Advanced proxy setting makes a difference. ... just turn off the proxy in the server's IE settings. ... Les Connor [SBS Community Member - SBS MVP] ...
      (microsoft.public.windows.server.sbs)
    • Re: ISA 2004 & companyweb
      ... Server, the traffic will still be handled by the ISA Server because the ... "Bypass proxy server for local addresses" option is disabled, ...
      (microsoft.public.windows.server.sbs)