You can to filter layer 7 with snort By example, detect bittorrent and p2p traffic with snort and drop it
2010/9/24 Ross Cameron <ross.came...@unix.net> > Depends what you want to do exactly I suppose... > > Personally I use Linux based firewalls for many of my sites purely because > the clients in question want deep packet inspection (aka OSI layer 7 > filtering) done on the network traffic. > But that said they are always the second skin firewalls, sitting behind > PF firewalls, filtering outbound traffic while the OpenBSD/FreeBSD boxen > filter inbound traffic. > > Thats just my 5c worth and I've always been of the opinion that at least > two > different skins of firewalls should be deployed, build ontop of different > technologies. > Makes life a lot harder for whomever you want to keep out. > > > > > "Opportunity is most often missed by people because it is dressed in > overalls and looks like work." > Thomas Alva Edison > Inventor of 1093 patents, including: > The light bulb, phonogram and motion pictures. > > > > On Wed, Sep 22, 2010 at 9:29 PM, Rikky Taylor <rikkytay...@hotmail.co.uk > >wrote: > > > I was after some general advice. I need to setup a routing firewall with > 3 > > interfaces, moderate traffic and a fair amount of NAT'ing in the rules. > > > > > > > > Given identical modern server hardware would I expect a performance > > difference > > between an OpenBSD/PF setup and a Linux/IPTables one? > > > > > > > > Rikky
