Block all traffic except specific application layer protocol

[dwebber]

I see how traffic for specific protocols can be rate limited; however, how can all traffic be blocked except for a specific application layer protocol?

Thanks, Duane

[ichat]

the quick,  answer:  block all ports exept those you need for your specific protocol...

the correct answer:  you cant (easily),  as you would need  "Deep Packet Inspection",  witch is a terrible thing to implement, both on 'system usage'  as well as on 'required technical skill'...   
edit: - one possible lib you could use for network inspection)  http://www.ntop.org/products/ndpi/


Update:  did i just forgot about  zentyal's  l7 filters,  ... they can be installed using the  zentyal compents installer and already nicely intergrate with the iptables guy.

[dwebber]

Two aspects to the Zentyal implementation:

    1.  There doesn't appear to be an easy way to specify 'any', that is, each protocol would need to be individually added to a group.  It's workable but would it would be nice to have an 'any' similar to the firewall portion.  Thoughts?
    2.  The only way to restrict traffic appears to be to limit it's rate; however, this is obviously not blocking the protocol if the 'Limted Rate' is set to 1 Kbps.  Is there a way to block protocol traffic?

[ichat]

did you check the  l7 packages?

[dwebber]

do you mean during install?  If yes, I installed the l7 protocols.  What am I looking for?  Can you point me to the Zentyal page in Zentyal that enables the functional mentioned to block l7 traffic?  I don't see it in Zentyal or the documentation.