Pipes.

[Patrick Tracanelli]

Chuck Swiger wrote:
> Alexandre D. wrote:
> 
>> The answer is not so easy.
>> P2P is not only based on port numbers.
>> The P2P detection is quite difficult, and maybe impossible.
> 
> 
> Not at all.  Start with "deny all", and only allow stuff through which 
> you really need to allow.  Blocking all outbound client traffic and 
> requiring them to go through a proxy on the LAN is adequate.
> 
>> My own position is that ipfw is not able to block P2P
> 
> 
> Besides, the word was "control".  You can shunt all high-priority stuff 
> (NTP, DNS, ICMP) into one queue, and put HTTP, FTP, 6667, etc on a 
> low-priority queue via dummynet, and/or adjust the permitted bandwidth.
> 

I personally like this approach a lot. I think it should be the first 
way to try to do  what you need with packets which you might need to 
"open" and "look inside" to check what kind of traffic it is. At a very 
least you will have a very organized gateway/fw/segment of network, with 
closed policy and  services policy. It might avoid a number of future 
problems.

My understanding is that a IP packet filter, as it states, should only 
do packet filtering. I dislike "general purpose" tools. Content analisys 
"picking the packet, looking at it to figure what kind of data/flow it 
is" should be managed by other kind of tools.

Back to the question point, there is a program somehwere in the net 
which allows you to "ipfw divert" the traffic to it, which can later 
filter traffic based on contents/layer7. You can also use an IDS, say, 
snort, and make IPFW filter/pipe/queue traffic for you based on snort 
rules/matching. There is "SnortSam" which might fit your needs if you 
can have snort.

I dont remeber the "divert based" program name or URL, Ill check on my 
bookmarks and post it later.

-- 
Patrick Tracanelli

FreeBSD Brasil LTDA.
The FreeBSD pt_BR Documentation Project
http://www.freebsdbrasil.com.br
patrick @ freebsdbrasil.com.br
"Long live Hanin Elias, Kim Deal!"