From owner-freebsd-pf@FreeBSD.ORG Wed Jul 20 18:36:03 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 140EF16A41F for ; Wed, 20 Jul 2005 18:36:03 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6417043D46 for ; Wed, 20 Jul 2005 18:36:02 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j6KIa2WE026402 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 20 Jul 2005 20:36:02 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j6KIa1lV032389; Wed, 20 Jul 2005 20:36:01 +0200 (MEST) Date: Wed, 20 Jul 2005 20:36:01 +0200 From: Daniel Hartmeier To: alex-bsd Message-ID: <20050720183601.GG20314@insomnia.benzedrine.cx> References: <42DE87CD.000002.18833@mfront7.yandex.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42DE87CD.000002.18833@mfront7.yandex.ru> User-Agent: Mutt/1.5.6i Cc: Lewis@Alumni.Duke.edu, freebsd-pf@freebsd.org Subject: Re: PF & BLOCK MP3 (AVI) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 18:36:03 -0000 On Wed, Jul 20, 2005 at 09:20:13PM +0400, alex-bsd wrote: > Presence this function in IPTABLES is very convenient for them. I'm not sure, but could it be that you over-estimate 'convenience' in this case? Because it appears to be rather simple to add a http proxy to the mix which solves the problem both conveniently AND reliably. Take squid or Apache mod_proxy, shouldn't take more than a rainy afternoon to set it up transparently (using pf to rdr all port 80 traffic through it) for blocking requests based on filename regex matching. What's not perfectly convenient about that? This is not a black art that requires hours upon hours of complex installation and configuration. Maybe someone can step in and outline the configuration for you. If you have the choice between a solid solution that requires two hours of setup and an unreliable hack that takes two minutes, do you really choose the hack? What you're asking for is that a programmers spends two WEEKS worth of time giving you this choice on pf/BSD. Doesn't make sense to me, sorry. Daniel