Application layer firewall on FreeBSD, is it possible ?

Nick Buraglio nick at buraglio.com
Wed Aug 31 13:30:00 GMT 2005 

I think what the pf developers will tell you (and what I think is  
correct) is that firewalling is meant for layer 3 and layer 7 is  
meant to be proxied.  I hear the l7 stuff for linux is somewhat of a  
messy hack (although it does seem to work).  I asked what they  
thought of this a few years ago just out of curiosity and was  
answered with some fairly good responses re: l7 filtering.  At least  
in regards to pf, I don't think it will ever be able to do it since  
thats not really what it's for (again, though, I'm not a developer on  
that project so I really have no idea of their roadmap).  I'd  
recommend a combination of snort2pf and transparent squid to start,  
of course you can always use the linux stuff if you aren't opposed to  
using linux.

Check out snort2pf http://www.thinknerd.org/~ssc/wiki/doku.php? 
id=snort2pf  It should do what you want it to do.

nb

On Aug 30, 2005, at 7:16 PM, Daniel Dvořák wrote:

> ... but you know, proxy is not what I am asking, proxy is not  
> firewall.
>
> We do not need to restrict everything and all members.
>
> We like full routeable network with full access to IPv6 / IPv4  
> internet
> without any necessary action like configure proxy clients at all pc 
> ´s our
> members.
>
> We only want to deny only p2p applications by default for all pc´s
> regardless of used protocol/ports and to allow grantting access to p2p
> networks each members in individual way, because we have to prevent  
> another
> letter from our ISP which was contacted by BSA that from our public  
> IP (
> from one member in private ip space ) ... traffic ... share ...  
> violate ...
> authorial law.
>
> So of course it must be combination of IP and application osi model
> firewall.
>
> Gateway server should check all packets and their contents to  
> decide if
> allowed or denied in fast way like l7-filter on Linux OS.
>
> So is it possible on FreeBSD OS ?
>
> Thanks
>
> Dan
>
>   _____
>
> From: Daniel Dvořák [mailto:dandee at hellteam.net]
> Sent: Wednesday, August 31, 2005 1:47 AM
> To: 'freebsd-questions at freebsd.org'; 'freebsd-ipfw at freebsd.org';
> 'freebsd-pf at freebsd.org'
> Subject: Application layer firewall on FreeBSD, is it possible ?
>
>
>
> Hi all,
>
> let me ask you for task "how to control p2p applications and their  
> traffic
> with dynamic ports from user´s commputers on gateway".
>
> We are small wireless community and have shared access to internet  
> for all
> members. Core members decided to control p2p traffic by default and  
> to allow
> each person in individual way, after showing their knowledge of  
> authorial
> low. :)
>
> But since many dc hubs, edonkey servers, bittorents web trackers  
> and so on
> use dynamic not standard ports, how to control it ?
>
> Linux use l7-filter  <http://sourceforge.net/projects/l7-filter>
> sourceforge.net/projects/l7-filter sourceforge freeware and , it is  
> based on
> iptables, defination application protocols like ethereal project do.
>
> So, is there any way to do same application layer osi model  
> firewall with
> FreeBSD gateway ?
>
> Of course, I tried to find on web, I have not been successful in  
> searching
> so far.
>
> If my question is not right in this mailing list, if my question is  
> annoying
> here, so I am sorry.
>
> Dan
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

More information about the freebsd-pf mailing list