Re: Application layer firewall on FreeBSD, is it possible ?
From: Jon Dama (jd_at_ugcs.caltech.edu)
Date: 08/31/05
- Previous message: Don Lewis: "Re: Odd performance problem (hitching)"
- In reply to: Maksim Yevmenkin: "Re: Application layer firewall on FreeBSD, is it possible ?"
- Next in thread: Robert Watson: "Re: Application layer firewall on FreeBSD, is it possible ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 30 Aug 2005 18:56:43 -0700 (PDT) To: Maksim Yevmenkin <maksim.yevmenkin@savvis.net>
Um, how is that effectively different than my recommendation that he build
something around tun/tap(4)?
It seems to me that you are saying essentially the same thing.
-Jon
On Tue, 30 Aug 2005, Maksim Yevmenkin wrote:
> Jon Dama wrote:
> > I do not think this is possible with an existing "shrink-wrapped"
> > solution.
>
> yes, it is. take a look at netgraph(4). for example with ethernet
> interfaces you can connect userspace and/or application kernel module to
> "lower" and "upper" ng_ether(4) hooks and effectively look at every
> packet that goes in/out on the wire.
>
> max
>
> >
> > Though, one would expect that it would be a relatively trivial matter to
> > make a userland application from the linux application filter and then use
> > the tun/tap(4) driver.
> >
> > -Jon
> >
> > On Wed, 31 Aug 2005, [iso-8859-2] Daniel Dvoøák wrote:
> >
> >
> >>Okay, thank you for advise. Maybe I did not understand fully but ...
> >>
> >>... but you know, proxy is not what I am asking, proxy is not firewall.
> >>
> >>We do not need to restrict everything and all members.
> >>
> >>We like full routeable network with full access to IPv6 / IPv4 internet
> >>without any necessary action like configure proxy clients at all pc´s our
> >>members.
> >>
> >>We only want to deny only p2p applications by default for all pc´s
> >>regardless of used protocol/ports and to allow grantting access to p2p
> >>networks each members in individual way, because we have to prevent another
> >>letter from our ISP which was contacted by BSA that from our public IP (
> >>from one member in private ip space ) ... traffic ... share ... violate ...
> >>authorial law.
> >>
> >>So of course it must be combination of IP and application osi model
> >>firewall.
> >>
> >>Gateway server should check all packets and their contents to decide if
> >>allowed or denied in fast way like l7-filter on Linux OS.
> >>
> >>So is it possible on FreeBSD OS ?
> >>
> >>Thanks
> >>
> >>Since my question here is not right like somebody told me, this is last
> >>e-mail in this mailling list for this theme, and I send it to
> >>freebsd-question, freebsd-ipfw and freebsd-pf mailling lists.
> >>
> >>Dan
> >>
> >>-----Original Message-----
> >>From: owner-freebsd-current@freebsd.org
> >>[mailto:owner-freebsd-current@freebsd.org] On Behalf Of Charles Swiger
> >>Sent: Tuesday, August 30, 2005 9:51 PM
> >>To: dandee@volny.cz
> >>Cc: freebsd-current@freebsd.org
> >>Subject: Re: Application layer firewall on FreeBSD, is it possible ?
> >>
> >>On Aug 30, 2005, at 2:58 PM, Daniel Dvoøák wrote:
> >>
> >>>let me ask you for task "how to control p2p applications and their
> >>>traffic with dynamic ports from user´s commputers on gateway".
> >>>
> >>>We are small wireless community and have shared access to internet for
> >>>all members. Core members decided to control p2p traffic by default
> >>>and to allow each person in individual way, after showing their
> >>>knowledge of authorial low. :)
> >>>
> >>>But since many dc hubs, edonkey servers, bittorents web trackers and
> >>>so on use dynamic not standard ports, how to control it ?
> >>
> >>Start with a "deny all" policy, and use L7 proxies like squid for the
> >>specific protocols like HTTP which you want to permit. If you're really
> >>serious about controlling the traffic, don't let your router talk to
> >>anything but your proxy server in order to be certain that the client
> >>machines have to go through that.
> >>
> >>--
> >>-Chuck
> >>
> >>_______________________________________________
> >>freebsd-current@freebsd.org mailing list
> >>http://lists.freebsd.org/mailman/listinfo/freebsd-current
> >>To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
> >>
> >>_______________________________________________
> >>freebsd-current@freebsd.org mailing list
> >>http://lists.freebsd.org/mailman/listinfo/freebsd-current
> >>To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
> >>
> >
> > _______________________________________________
> > freebsd-current@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-current
> > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
>
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
- Previous message: Don Lewis: "Re: Odd performance problem (hitching)"
- In reply to: Maksim Yevmenkin: "Re: Application layer firewall on FreeBSD, is it possible ?"
- Next in thread: Robert Watson: "Re: Application layer firewall on FreeBSD, is it possible ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
