Application layer firewall on FreeBSD, is it possible ?
freebsd at meijome.net
Wed Aug 31 12:44:00 GMT 2005
Daniel Dvořák wrote:
> We are small wireless community and have shared access to internet for all
> members. Core members decided to control p2p traffic by default and to allow
> each person in individual way, after showing their knowledge of authorial
> low. :)
I think you mean copyright law.
> But since many dc hubs, edonkey servers, bittorents web trackers and so on
> use dynamic not standard ports, how to control it ?
I havent seen any way to control traffic for P2P apps reliably @ the
protocol layer, u need to inspect it. Something like snort attached to
your firewall, i guess ... though it'd be a reverse IDS (or a reverse
IPS, intrusion prevention system, I've seen it called...)
a quick search in ports for ids shows:
/security/libprelude and other prelude related ports
/security/snortms and other snort related ports
> Linux use l7-filter <http://sourceforge.net/projects/l7-filter>
> sourceforge.net/projects/l7-filter sourceforge freeware and , it is based on
> iptables, defination application protocols like ethereal project do.
right - so something like applying ethereal rules to the output of
tcpdump and updating the rules in realtime...mind you, many of these
apps/protocols are extremely flexible, they'll change how they connect
very fast, which will put the load on your firewall
> So, is there any way to do same application layer osi model firewall with
> FreeBSD gateway ?
i dont see why not...though it's obvious I'm not sure how :) please
share the answer when you find it :)
More information about the freebsd-questions