PF & BLOCK MP3 (AVI)
Daniel Hartmeier
daniel at benzedrine.cx
Wed Jul 13 08:43:54 GMT 2005
On Sun, Jul 10, 2005 at 03:13:36PM +0400, alex-bsd wrote:
> P.S. It is insulting, that I has answered a question only my compatriot, and developers led by Daniel Hartmeier it have ignored: (.
I'm a little tired of repeating my opinion on payload filtering in pf.
The short version is that I don't see how it can be done reliably and I
don't believe there is any packet-level solution that actually works as
people think it does.
We can do a little bet: you set up a web server that's open on port 80,
and serves some document containing a secret. Then you set up iptables
(or any other packet-level filter, but no userland proxy) in front of it
that tries to deny access to that particular document only (through the
payload filtering feature, keeping the port open, so that other
documents can be retrieved). Then you publish the IP address and the
protected URL, and allow us to play with it.
If I can't retrieve the document, I promise to learn how the feature was
successfully implemented and implement it for you in pf. However, if I
can retrieve it, you paypal me $500 and publicly admit that the feature
is stupid (if you believe it's a flaw in one implementation but not in
the concept itself, we can repeat the procedure with as many
implementation as you like). Deal?
Daniel
More information about the freebsd-pf
mailing list