Application layer firewall on FreeBSD, is it possible ?

[Norberto Meijome]

hey,

Daniel Dvořák wrote:
> We are small wireless community and have shared access to internet for all
> members. Core members decided to control p2p traffic by default and to allow
> each person in individual way, after showing their knowledge of authorial
> low. :)

I think you mean copyright law.

> 
> But since many dc hubs, edonkey servers, bittorents web trackers and so on
> use dynamic not standard ports, how to control it ?

I havent seen any way to control traffic for P2P apps reliably @ the 
protocol layer, u need to inspect it. Something like snort attached to 
your firewall, i guess ... though it'd be a reverse IDS (or a reverse 
IPS, intrusion prevention system, I've seen it called...)

a quick search in ports for ids shows:

/net/libnids
/security/libprelude and other prelude related ports
/security/snortms and other snort related ports

> 
> Linux use l7-filter  <http://sourceforge.net/projects/l7-filter>
> sourceforge.net/projects/l7-filter sourceforge freeware and , it is based on
> iptables, defination application protocols like ethereal project do.

right - so something like applying ethereal rules to the output of 
tcpdump and updating the rules in realtime...mind you, many of these 
apps/protocols are extremely flexible, they'll change how they connect 
very fast, which will put the load on your firewall

> So, is there any way to do same application layer osi model firewall with
> FreeBSD gateway ?

i dont see why not...though it's obvious I'm not sure how :) please 
share the answer when you find it :)