Hi Peter,
I think what I want things like blocked outbound port 25 traffic, while allowing MSA,
what is MSA?
blocking common outbound virus traffic,
To distinguish virus traffic from "normal" traffic you need some sort of application level gateway like squid for http traffic or an MTA for mail traffic. Pf is great but limited to the header information of the packets.
having some sort of hierarchical queueing based on client IP addresses (via DHCP) etc. but I am not sure what I really want, hence the request for pointers.
A solution that worked for me is to use the user_auth feature of pf. Before authenticating my wireless users may only get DNS information and ssh to the AP (of course). After authentication there are separate rules for each user. But this don't protect me from users doing nasty things with the protocols they are allowed.
Only way doing this is to use application proxies.
-volker
Peter
