Re: What do we have to do some good layer 7 filtering?

[Thorin Oakenshield <thorin_(_at_)_linux_(_dot_)_it>]

On Sat, Jun 26, 2004 at 12:52:56AM -0400, Damian Gerow wrote:
> Thus spake Thorin Oakenshield (thorin_(_at_)_linux_(_dot_)_it) [25/06/04 15:07]:
> : > b) Set a corporate policy about not accessing Hotmail.  Just check firewall
[..]
> : is there something wrong in it?
> 
> Nope.  You'll get something like this:
Ok, now I caught it.

> Client(SYN) -> IM
> IM(SYN+ACK) -> reset by firewall
> Client(SYN) -> IM
> IM(SYN+ACK) -> reset by firewall
> 
> And it shall continue ad nauseam.  To stop the SYN packets from ever
> leaving (and to help keep the Internet just a tad bit cleaner), I'd suggest
> this instead/as well as:
> 
>     block return-rst in log quick on $int_if inet proto { tcp, udp } from { $int_net } to { <MSN_Messenger>, <hostname_MSN>, <Yahoo_Messenger>, <ICQ> }
Oh yes, you mean I'd have to use the $internal_net macro (which will
expand to "{ 192.168.3.0/24 192.168.4.0/24 }" instead of the $ext_if
macro so they will be blocked before arriving to the external interface,
is that right?

> That makes sure that any packets destined to these hosts never make it out.
> You may want to add a 'flags S' at the end of that, if you feel so inclined.
THNX again for your help..

-- 
Pierluigi De Rosa (thorin_(_at_)_durin_(_dot_)_khazad-dum_(_dot_)_net).
<<      LINUX: the choice of a GNU generation     >>
<<   For my real address... ask the Balrog.       >>
* Sostenete la Lega per la Soppressione dei Troll *