Date: Wed, 6 Jul 2005 17:07:25 +0400 From: Yar Tikhiy <yar@comp.chem.msu.su> To: alex-bsd <alex-bsd@yandex.ru> Cc: freebsd-pf@freebsd.org Subject: Re: PF & BLOCK MP3 (AVI) Message-ID: <20050706130725.GA92549@comp.chem.msu.su> In-Reply-To: <42C82578.000006.17576@mfront8.yandex.ru> References: <42C82578.000006.17576@mfront8.yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jul 03, 2005 at 09:50:48PM +0400, alex-bsd wrote: > I am adherent BSD of systems, in the last time have passed with IPFW to use PF, other useful and interesting opportunities have liked in it Firewall, more convenient syntax and many. > I wish to offer developers PF, to add new (IMHO very necessary and convenient) functionality! > In iptables it is possible to block means Firewall uploading of files (.mp3, .avi and another) to limit access to a porno to resources and the other undesirable traffic. > Very much it would be desirable, that PF also was able to do similar. > In the presents time for blocking uploading "unnecessary" files I use Squid. Personally to me Squid it is necessary only for the decision above the described problem. > With pleasure would refuse use Squid if in PF this opportunity will be realized. IMHO, filtering network traffic by bulk content is not a task for a packet filter. Indeed, many commercial firewall vendors offer content inspection in their products because customers want to buy it. However, implementing a similar feature in PF would increase PF's complexity greately, thus affecting its robustness negatively. The Unix way is to build complex systems from simple, specialized components. Therefore one should use PF for TCP/IP filtering and a HTTP proxy, e.g., Squid, for HTTP filtering. Besides, filtering HTTP objects by their filename or content type is a half measure. First, many web sites offering MP3 or AVI files also provide means to circumvent such filters if necessary. Second, I believe that the need to filter HTTP traffic is usually indicative of problems lying deeper, like too many people in the office having nothing to do but download porn ;-) -- Yar
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050706130725.GA92549>