Application layer firewall on FreeBSD, is it possible ?

Jon Dama jd at ugcs.caltech.edu
Wed Aug 31 00:44:14 GMT 2005


I do not think this is possible with an existing "shrink-wrapped"
solution.

Though, one would expect that it would be a relatively trivial matter to
make a userland application from the linux application filter and then use
the tun/tap(4) driver.

-Jon

On Wed, 31 Aug 2005, [iso-8859-2] Daniel Dvořák wrote:

> Okay, thank you for advise. Maybe I did not understand fully but ...
>
> ... but you know, proxy is not what I am asking, proxy is not firewall.
>
> We do not need to restrict everything and all members.
>
> We like full routeable network with full access to IPv6 / IPv4 internet
> without any necessary action like configure proxy clients at all pc´s our
> members.
>
> We only want to deny only p2p applications by default for all pc´s
> regardless of used protocol/ports and to allow grantting access to p2p
> networks each members in individual way, because we have to prevent another
> letter from our ISP which was contacted by BSA that from our public IP (
> from one member in private ip space ) ... traffic ... share ... violate ...
> authorial law.
>
> So of course it must be combination of IP and application osi model
> firewall.
>
> Gateway server should check all packets and their contents to decide if
> allowed or denied in fast way like l7-filter on Linux OS.
>
> So is it possible on FreeBSD OS ?
>
> Thanks
>
> Since my question here is not right like somebody told me, this is last
> e-mail in this mailling list for this theme, and I send it to
> freebsd-question, freebsd-ipfw and freebsd-pf mailling lists.
>
> Dan
>
> -----Original Message-----
> From: owner-freebsd-current at freebsd.org
> [mailto:owner-freebsd-current at freebsd.org] On Behalf Of Charles Swiger
> Sent: Tuesday, August 30, 2005 9:51 PM
> To: dandee at volny.cz
> Cc: freebsd-current at freebsd.org
> Subject: Re: Application layer firewall on FreeBSD, is it possible ?
>
> On Aug 30, 2005, at 2:58 PM, Daniel Dvořák wrote:
> > let me ask you for task "how to control p2p applications and their
> > traffic with dynamic ports from user´s commputers on gateway".
> >
> > We are small wireless community and have shared access to internet for
> > all members. Core members decided to control p2p traffic by default
> > and to allow each person in individual way, after showing their
> > knowledge of authorial low. :)
> >
> > But since many dc hubs, edonkey servers, bittorents web trackers and
> > so on use dynamic not standard ports, how to control it ?
>
> Start with a "deny all" policy, and use L7 proxies like squid for the
> specific protocols like HTTP which you want to permit.  If you're really
> serious about controlling the traffic, don't let your router talk to
> anything but your proxy server in order to be certain that the client
> machines have to go through that.
>
> --
> -Chuck
>
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
>
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
>


More information about the freebsd-current mailing list