For Layer-7 filtering, you could check Application Layer Packet Classifier for Linux: http://l7-filter.sourceforge.net/
Kernel Iptables Layer 7: http://l7-filter.sourceforge.net/HOWTO-kernel Best regards, Jonas Andradas. On Dec 14, 2007 6:53 PM, Roman Medina-Heigl Hernandez <[EMAIL PROTECTED]> wrote: > Willi Mann escribió: > > >> I'm interested in a better authentication method than registering all > >> the MACs+IPs of all my users (which after all is just dust in the wind > >> ...) using my current hardware (16 servers, 1 for at least 250 > >> clients). I was thinking about ppp based authentication but it doesn't > >> look very scalable and secure ... am I wrong ? > > > > openvpn might be an easier solution. > > > >> Also due to the fact that my ISP doesn't agree with opening all ports > >> and traffic shaping due to possible attacks, most of my clients are > >> using tunneling methods like "your freedom" and "surf no limit", which > >> currently produce a high CPU usage on all the servers due to the > >> CONNECT method in the Squid Proxy Cache. Currently i just drop/traffic > >> shape the tunneled P2P traffic via ipp2p/l7-filter module of iptables. > >> I still believe that opening all ports and traffic shape them would be > >> the only solution ... but this would impose a high network security > >> ... so i`m back to point 1 ... suggestions ?! > > > > Does that mean that you allow CONNECTs to all ports? > > If you want to permit HTTPS, you have to allow CONNECT to (at least) > 443/tcp. So it's easy to tunnel through that port and get a "clean" > internet connection. > > I don't know of any solution (level 7 filtering, etc) able to defeat this > kind of tricks. > > -- > > Saludos, > -Roman > > PGP Fingerprint: > 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 > [Key ID: 0xEAD56742. Available at KeyServ] > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
