[ previous ] [ next ] [ threads ]
 From:  "Sancho2k.net Lists" <lists at sancho2k dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] layer 7 integration
 Date:  Sat, 12 Mar 2005 10:39:57 -0700
Rob Kruit wrote:
> Sounds really great unfortunately I do not have enough experience to
> implement such a solution with Linux. 

Bah, it's documented as well as anything else.

> The port filtering solution I provided
> actually is very effective as it blocks any outgoing connections from the
> client to ports other than 21,80 and 110 it would not allow anyone to
> download from the client pc and it would not allow the client to make any
> outgoing connections to port other then 80, 21 and 110 effectively blocking
> about 99% of the p2p downloads since only a few people have their p2p client
> running on one of those ports. This is a solution that is used with many
> commercial firewall (only open what you have to use) and has proven very
> effective. However it also greatly reduces the flexibility of your internet
> connection. But if m0n0wall is ever going to support packet content matching
> I will definitely going to use it!

The real problem with L7 filtering on embedded devices is the resource 
usage. The second problem may be porting existing functionality to 
BSD/m0n0wall. I'd guess there are more pressing items to be developed 
than this ATM.