referer filtering
Daniel Hartmeier
daniel at benzedrine.cx
Fri Sep 26 11:50:55 UTC 2014
On Thu, Sep 25, 2014 at 11:24:01AM -0700, Laszlo Danielisz via freebsd-pf wrote:
> I was wondering how is possible to accept a connection, lets say on port 80 only if it comes from a specified referer.
> Let's say there is a link on server A (IP 1.1.1.1) pointing to server B (IP 2.2.2.2). And server B will only accept the connection if it was sent by A.
You mean filtering based on a HTTP Referer: header?
pf doesn't work on that layer at all.
Technically, B has to accept the client's connection and read the HTTP
request (for the Referer: header) to make its decision. It can produce
an error (or redirect) or close the connection, but "not accepting the
connection" is impossible.
You'd have to do this at the application layer, e.g. Apache has modules
that allow access control based on HTTP headers[1], or use a HTTP proxy
like squid (pf can assist redirecting to it).
Also note that the referer header isn't always reliable, as it can be
faked easily[2].
HTH,
Daniel
[1] http://www.uiowa.edu/server/manual/mod/mod_access_referer.html#motivation
[2] http://www.stardrifter.org/refcontrol/
More information about the freebsd-pf
mailing list