PF & BLOCK MP3 (AVI)
Greg Hennessy
Greg.Hennessy at nviz.net
Sun Jul 10 12:06:47 GMT 2005
> > Indeed, many commercial firewall vendors offer content
> inspection in their products because customers want to buy it.
> Unfortunately, I do not know similar let and commercial
> realizations similar let under BSD, capable to filter content
> on FIREWALLS.
That's because you havent looked hard enough.
> On Linux in IPTABLES it is remarkable works, and I do not see
> the global reasons why on BSD in PF it cannot be realized,
> even in the form of a patch or something similar?!??!
It doesn't 'work' period, pattern matching on a packet by packet basis is a
complete waste of time unless the pattern matching algorithms do full
reassembly and are application aware. Which is exactly what Content
Inspection/Fixups in commercial firewall products do. (some better than
others mind you)
> P.S. It is insulting, that I has answered a question only my
> compatriot, and developers led by Daniel Hartmeier it have ignored: (.
That's because running Regex against each packet is a daft idea, a
performance killer and a self inflicted DOS attack waiting to happen.
5 minutes googling provides far superior & scalable solutions which can
dynamically update PF tables to kill unauthorised traffic.
Such as.
http://www.snortsam.net/index.html
Greg
More information about the freebsd-pf
mailing list