Re: improve ipfw rules

• Previous message: Kris Kennaway: "Re: improve ipfw rules"
• In reply to: Richy Kim: "RE: improve ipfw rules"
• Next in thread: Borja Marcos: "Re: improve ipfw rules"
• Reply: Borja Marcos: "Re: improve ipfw rules"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 24 Feb 2004 17:07:35 +0100
To: Richy Kim <rkim@sandvine.com>

AFAIK,

It is impossible to truely block P2P traffic with any standard
firewalling system. It is the holy grail of ISPs these days.

I know of only one system that can do this effectively and it is
commercial http://www.qosmos.fr , as I have already stated in other
FreeBSD mailing list.

The way they do it , is by implementing a protocol analyser (on the fly
analysis) that has protocol dictionaries and syntax , which can go up
in the layers and block on the fly any traffic that it has been specified
to block.

It is my hope that someday someone will step in and implement a similar
system under FreeBSD. But i think it requires quite a lot of work and possibly
major rebuilding of ipfw if it needs to be integrated (which would be great)

On Tue, 24 Feb 2004 10:09:24 -0500
Richy Kim <rkim@sandvine.com> wrote:

> >> 3. I'm intrested in blocking kazaa/P2P trafic with IPFW any help in this
> issue
> you could possibly block connections at known p2p ports.
> deny tcp from any to any 6699 step
> but most of the newer protocols use dynamic ports and in turn, are
> configurable.
> so ipfw isn't exactly ideal on it's own for this.
>
> -r.
>

--
===============================================================
Christophe Prevotaux              
===============================================================
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Kris Kennaway: "Re: improve ipfw rules"
• In reply to: Richy Kim: "RE: improve ipfw rules"
• Next in thread: Borja Marcos: "Re: improve ipfw rules"
• Reply: Borja Marcos: "Re: improve ipfw rules"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: ipfw help needed (IP vs TCP) ... > between these two ipfw commands? ... > ipfw add 1000 allow tcp from any to any ... Well, one allows TCP packets, one allows all IP packets. ... "VPN" is not the name of a protocol. ... (comp.unix.bsd.freebsd.misc) Re: ipfw and Corporate VPN ... >a rule with the proper syntax for for a protocol? ... ipfw add pass proto: ... ipfw add pass gre from ... ... (comp.unix.bsd.freebsd.misc) Re: Apache throttling ... As I understand it, ipfw is a Layer ... > 3/4 protocol, so filtering on that IP address would slow everything down, ... (comp.unix.bsd.freebsd.misc) Re: Protocol Analyser for Q3 ... Im not sure about that particular protocol. ... agilent technologies for a protocol analyzer, weve used them at work. ... >Subject: Protocol Analyser for Q3 ... (Security-Basics)