l7-filter

[Ante Karamatić]

Hi!

On of goals for breezy is to develop easy to use firewall manager. As we
all know, there is no easy way to filter P2P protocols. We can block
ports, but P2P programs tend to change ports and, in the end, you can't
do anything about them.

So, there is a patch that could help us create easy to use firewall. It
is patch for netfilter and iptables userland tool. It enables us to
create rule like "block everywthing, but allow P2P and ICQ/Jabber
connections to me".

Filtering is done on application layer, so it doesn't care about ports
or applications that are in use. It checks protocol!

If we have kernel/iptables that implement this, writing python program
that will do things like this wouldn't be hard. User would have option
to enable one-by-one (or all) P2P networks.

I did some testing and I run this deployment on couple of places. One
firewall is transparent proxy/filter for over 300 computers. And it
isn't some fancy hardware.

Fabio said patching of kernel is possible if userland tools would be
developed. That's why I'm crossposting this, cause I know there are few
people interested in creating easy to use firewall on ubuntu-devel.

-- 
Ante Karamatic|--|ivoks(@)grad.hr|--|PGP: D3BDA225
http://master.grad.hr/~ivoks/|--|ICQ: 64631782
May, 15. <herve> we're fixing the universe, it's not an easy duty!