PF & BLOCK MP3 (AVI)

Jeremie Le Hen jeremie at le-hen.org
Wed Jul 20 18:02:46 GMT 2005 

Hi Alex,

> I not absolutely understand, how we can play with Daniel.
> In the work I do not use Linux. 
> Many my friends use Linux as gateway.
> Presence this function in IPTABLES is very convenient for them. 
> This function IPTABLES is used by them enough for a long time, any
> problems connected with use of this opportunity at them was not observed.
> 
> The filtration mp3 files is used for economy of the traffic. 
> Many managers and secretaries use Internet only for downloading mp3
> and avi :) 
>
> Check of a content is done by them only on the internal interface
> (check inquiry of the client)
> 
> Whether will be dangerous DoS attacks if check of a content will be used
> ONLY on the local interface?
> I doubt that the secretary will start to attack gateway:) 

You clearly don't understand this topic very well in regard of what you
are saying.

- Blocking packets containing the string ".mp3" will block HTTP and DNS
  requests, this is partly true.  But this will also block the webpage
  that are speaking of the MP3 format without providing MP3 files to
  download ; this will also block mails that contains the string ".mp3"
  which means that your users won't be able to exchange private mails
  speaking of MP3s.  There may be some cookies or hash values used in a
  dynamic website containing the string ".mp3" too, this would prevent
  you and your users from using them optimally, dropping unexpected random
  packets in this case.
  Furthermore, you should now that most AVIs and MP3s are downloaded with
  P2P, so you should block P2P instead.  This is done by only enabling a
  few authorized ports to go through your firewall (HTTP, DNS, ...).

- Firewalls actually only look at packet header which is in worst case
  less that 100 bytes.  With a MTU of 1500 bytes, making the firewall
  look the whole packet will *obviously* decrease performance a lot.
  While Linux used to have everything and most crazy things available as
  kernel patches spread all over the web, BSD used to implement only
  neat and efficient solutions.  The NetFilter ``string'' match is not
  what we can call a neat and efficient solution (see above).

- Finally, to emphasize the fact that you don't know what you are talking
  about, filtering on the internal interface won't change things for
  two reasons :
	* All traffic from your LAN to the internet and inversely will
	  go through your firewall anyway.
	* If you were clever enough, you would use your ``string'' match
	  at the bottom of your rules to optimize performances.  Even
	  if you are redirecting some ports on you internal network,
	  whether the packet will be drop or not won't make the difference
	  since the whole packet content will be scanned anyway.

So please, stop pissing us off now, and go use Linux.  If you still want
to use FreeBSD, please learn to understand want people are telling you
and stop felling that you know everything better than others : when the
firewall developper himself tells you that an idea is foolish, there are
very good chances that this idea is foolish.

Sorry for being rude, but you went too far this time.

Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >

More information about the freebsd-pf mailing list