From owner-freebsd-pf@FreeBSD.ORG Wed Jul 6 13:07:28 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA37116A41C for ; Wed, 6 Jul 2005 13:07:28 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (comp.chem.msu.su [158.250.32.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 222E743D45 for ; Wed, 6 Jul 2005 13:07:27 +0000 (GMT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.13.3/8.13.3) with ESMTP id j66D7P7l096777; Wed, 6 Jul 2005 17:07:25 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.13.3/8.13.3/Submit) id j66D7P4p096776; Wed, 6 Jul 2005 17:07:25 +0400 (MSD) (envelope-from yar) Date: Wed, 6 Jul 2005 17:07:25 +0400 From: Yar Tikhiy To: alex-bsd Message-ID: <20050706130725.GA92549@comp.chem.msu.su> References: <42C82578.000006.17576@mfront8.yandex.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42C82578.000006.17576@mfront8.yandex.ru> User-Agent: Mutt/1.5.9i Cc: freebsd-pf@freebsd.org Subject: Re: PF & BLOCK MP3 (AVI) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2005 13:07:29 -0000 On Sun, Jul 03, 2005 at 09:50:48PM +0400, alex-bsd wrote: > I am adherent BSD of systems, in the last time have passed with IPFW to use PF, other useful and interesting opportunities have liked in it Firewall, more convenient syntax and many. > I wish to offer developers PF, to add new (IMHO very necessary and convenient) functionality! > In iptables it is possible to block means Firewall uploading of files (.mp3, .avi and another) to limit access to a porno to resources and the other undesirable traffic. > Very much it would be desirable, that PF also was able to do similar. > In the presents time for blocking uploading "unnecessary" files I use Squid. Personally to me Squid it is necessary only for the decision above the described problem. > With pleasure would refuse use Squid if in PF this opportunity will be realized. IMHO, filtering network traffic by bulk content is not a task for a packet filter. Indeed, many commercial firewall vendors offer content inspection in their products because customers want to buy it. However, implementing a similar feature in PF would increase PF's complexity greately, thus affecting its robustness negatively. The Unix way is to build complex systems from simple, specialized components. Therefore one should use PF for TCP/IP filtering and a HTTP proxy, e.g., Squid, for HTTP filtering. Besides, filtering HTTP objects by their filename or content type is a half measure. First, many web sites offering MP3 or AVI files also provide means to circumvent such filters if necessary. Second, I believe that the need to filter HTTP traffic is usually indicative of problems lying deeper, like too many people in the office having nothing to do but download porn ;-) -- Yar