On Tue, 6 Dec 2005, Ejay Hire wrote:
There are quite a few modules for iptables that will reach up to Layer 7, including several specifically for file sharing applications...
And one really nifty one that makes non-passive ftp work through NAT.
These are "action" modules - they receive the data when it matches particular netfilter rules and then do something in place where you could have accept or reject. But for L7 filtering you need module that can be used in place of "source" or "destination" rules. Yes it is possible to build those with linux (like ipset - see ipset.netfilter.org - its pretty cool), but I've not seen ones for L7 classification - at least not public open source ... The place to find more about iptable is http://www.netfilter.org For iptables it is http://ebtables.sourceforge.net (this one you need only if you're building custom linux bridge). -- William Leibzon Elan Networks william@elan.net