[ previous ] [ next ] [ threads ]
 From:  Rob Kruit <rob dot kruit at quicknet dot nl>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] layer 7 integration
 Date:  Sat, 12 Mar 2005 09:39:26 +0100
I think this would every hard to do, if not impossible. Letting it 
operate on layer 7 would require it to be an application level firewall 
like many desktop firewalls and to provide such functionality it's 
required to run on the client pc on which the applications are running 
you wish to block/filter or like Microsoft ISA server running a firewall 
client on the client PC's. This would mean there has to be a piece of 
client software running on the client pc's authenticating the local 
users against the firewalls user database and then monitoring those p2p 
applications locally for what ports they use which is then be send to 
the firewall which would dynamically filter these ports. Doing this 
would be extremely difficult and I don't think it's gonna be in any next 
versions of mono wall.
Another option is using the p2p wizard in mono wall's traffic shaping 
options or simply set bandwidth limits and low priority's on connections 
to and from any port except connections to port 80, 21 and 110. This 
would permit them to use http, ftp and mail traffic on full speed but 
any other traffic is limited.


Rob Kruit

Brian Morton wrote:

> I was thinking today about how great it would be to be able to keep my 
> roommates from just changing their port #s to get around my traffic 
> shaping, and then it hit me, that the layer 7 traffic shaper would be 
> better suited to the purpose of the m0n0wall traffic shaper than a 
> port based system.  What is the possibility of getting this integrated 
> into m0n0?  I know very very little about FreeBSD or if this is even 
> possible, but just wanted to throw it out there and see what you guys 
> thought.