Re: Application layer firewall on FreeBSD, is it possible ?
From: Maksim Yevmenkin (maksim.yevmenkin_at_savvis.net)
Date: 08/31/05
- Previous message: Kyle Brooks: "panic after removing usb flash drive"
- In reply to: Jon Dama: "RE: Application layer firewall on FreeBSD, is it possible ?"
- Next in thread: Jon Dama: "Re: Application layer firewall on FreeBSD, is it possible ?"
- Reply: Jon Dama: "Re: Application layer firewall on FreeBSD, is it possible ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 30 Aug 2005 18:53:24 -0700 To: Jon Dama <jd@ugcs.caltech.edu>
Jon Dama wrote:
> I do not think this is possible with an existing "shrink-wrapped"
> solution.
yes, it is. take a look at netgraph(4). for example with ethernet
interfaces you can connect userspace and/or application kernel module to
"lower" and "upper" ng_ether(4) hooks and effectively look at every
packet that goes in/out on the wire.
max
>
> Though, one would expect that it would be a relatively trivial matter to
> make a userland application from the linux application filter and then use
> the tun/tap(4) driver.
>
> -Jon
>
> On Wed, 31 Aug 2005, [iso-8859-2] Daniel Dvoøák wrote:
>
>
>>Okay, thank you for advise. Maybe I did not understand fully but ...
>>
>>... but you know, proxy is not what I am asking, proxy is not firewall.
>>
>>We do not need to restrict everything and all members.
>>
>>We like full routeable network with full access to IPv6 / IPv4 internet
>>without any necessary action like configure proxy clients at all pc´s our
>>members.
>>
>>We only want to deny only p2p applications by default for all pc´s
>>regardless of used protocol/ports and to allow grantting access to p2p
>>networks each members in individual way, because we have to prevent another
>>letter from our ISP which was contacted by BSA that from our public IP (
>>from one member in private ip space ) ... traffic ... share ... violate ...
>>authorial law.
>>
>>So of course it must be combination of IP and application osi model
>>firewall.
>>
>>Gateway server should check all packets and their contents to decide if
>>allowed or denied in fast way like l7-filter on Linux OS.
>>
>>So is it possible on FreeBSD OS ?
>>
>>Thanks
>>
>>Since my question here is not right like somebody told me, this is last
>>e-mail in this mailling list for this theme, and I send it to
>>freebsd-question, freebsd-ipfw and freebsd-pf mailling lists.
>>
>>Dan
>>
>>-----Original Message-----
>>From: owner-freebsd-current@freebsd.org
>>[mailto:owner-freebsd-current@freebsd.org] On Behalf Of Charles Swiger
>>Sent: Tuesday, August 30, 2005 9:51 PM
>>To: dandee@volny.cz
>>Cc: freebsd-current@freebsd.org
>>Subject: Re: Application layer firewall on FreeBSD, is it possible ?
>>
>>On Aug 30, 2005, at 2:58 PM, Daniel Dvoøák wrote:
>>
>>>let me ask you for task "how to control p2p applications and their
>>>traffic with dynamic ports from user´s commputers on gateway".
>>>
>>>We are small wireless community and have shared access to internet for
>>>all members. Core members decided to control p2p traffic by default
>>>and to allow each person in individual way, after showing their
>>>knowledge of authorial low. :)
>>>
>>>But since many dc hubs, edonkey servers, bittorents web trackers and
>>>so on use dynamic not standard ports, how to control it ?
>>
>>Start with a "deny all" policy, and use L7 proxies like squid for the
>>specific protocols like HTTP which you want to permit. If you're really
>>serious about controlling the traffic, don't let your router talk to
>>anything but your proxy server in order to be certain that the client
>>machines have to go through that.
>>
>>--
>>-Chuck
>>
>>_______________________________________________
>>freebsd-current@freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-current
>>To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
>>
>>_______________________________________________
>>freebsd-current@freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-current
>>To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
>>
>
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
- Previous message: Kyle Brooks: "panic after removing usb flash drive"
- In reply to: Jon Dama: "RE: Application layer firewall on FreeBSD, is it possible ?"
- Next in thread: Jon Dama: "Re: Application layer firewall on FreeBSD, is it possible ?"
- Reply: Jon Dama: "Re: Application layer firewall on FreeBSD, is it possible ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
