Date: Thu, 25 Sep 2014 20:41:23 -0700 From: Laszlo Danielisz <laszlo.danielisz@yahoo.com> To: Javad Mustafayev <javad@smarty.az>, Laszlo Danielisz via freebsd-pf <freebsd-pf@freebsd.org> Subject: Re: referer filtering Message-ID: <1411702883.12303.YahooMailNeo@web160702.mail.bf1.yahoo.com> In-Reply-To: <20140925194539.18FCDFEE@hub.freebsd.org> References: <20140925194539.18FCDFEE@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you!=0A=0AIsn't this just going to accept traffic on port 80 from A t=
0 B?=0Apass in log on $ext_if inet proto tcp from $A to $B port 80 keep sta=
te=0A=0A=0AI mean customers who would like to connect to $B won't be able.=
=0A=0A=0A=0AOn Thursday, September 25, 2014 9:45 PM, Javad Mustafayev <java=
d@smarty.az> wrote:=0A =0A=0A=0AHi, i can suggest config below=0A=0Alets sa=
y this config will be on server B's pf.conf. and your network interface of =
B ip address 2.2.2.2 is bge0=0A=0Athen you can use the following config=0A=
=0A#pf.conf=0A#macros=0A=0Aext_if=3D"bge0"=0AA=3D"1.1.1.1"=0AB=3D"2.2.2.2"=
=0A=0A#global options=0Aset block-policy return #or you can use drop=0Aset =
skip on lo0=0Aset loginterface $ext_if #optional=0A=0A#all other configurat=
ions=0A=0A#here you block all=0A=0Ablock return in all #or you can use drop=
:)=0A=0A#and here allow TCP connections on port 80 only from A(1.1.1.1) to=
B(2.2.2.2)=0A=0Apass in log on $ext_if inet proto tcp from $A to $B port 8=
0 keep state=0A=0Athat's all. its so simple configuration file. you can fin=
d more advanced and fancy configuration models on the web. but i suggest pf=
manual ;) =0Agood luck.=0A--=0A=0A=E2=80=A2=E2=80=A2=E2=80=A2/=0Aname: =
Javad Mustafayev=0Atitle: System Admi=
nistrator=0Acompany: Smarty LLC=0Amobile: =
00994.51.927.11.99=0Amail: javad@smarty=
.az=0Aweb.mail: j.mustafayev@gmail.com=0A =E2=80=A2=E2=80=A2=E2=80=A2/=
=0A =0A=0AOn Sep 25, 2014 11:24 PM, Laszlo Danielisz via freebsd-pf <freebs=
d-pf@freebsd.org> wrote:=0A>=0A> Hi, =0A>=0A> I was wondering how is possib=
le to accept a connection, lets say on port 80 only if it comes from a spec=
ified referer. =0A> Let's say there is a link on server A (IP 1.1.1.1) poin=
ting to server B (IP 2.2.2.2). And server B will only accept the connection=
if it was sent by A. =0A>=0A> Any ideas? =0A>=0A> Thx! =0A> Laszlo =0A> __=
_____________________________________________ =0A> freebsd-pf@freebsd.org m=
ailing list =0A> http://lists.freebsd.org/mailman/listinfo/freebsd-pf =0A> =
To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" =0A__=
_____________________________________________=0Afreebsd-pf@freebsd.org mail=
ing list=0Ahttp://lists.freebsd.org/mailman/listinfo/freebsd-pf=0ATo unsubs=
cribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
From owner-freebsd-pf@FreeBSD.ORG Fri Sep 26 11:50:55 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested)
by hub.freebsd.org (Postfix) with ESMTPS id 3F63281B
for <freebsd-pf@freebsd.org>; Fri, 26 Sep 2014 11:50:55 +0000 (UTC)
Received: from insomnia.benzedrine.cx
(106.30.3.213.static.wline.lns.sme.cust.swisscom.ch [213.3.30.106])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "insomnia.benzedrine.cx",
Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified))
by mx1.freebsd.org (Postfix) with ESMTPS id 9E912E10
for <freebsd-pf@freebsd.org>; Fri, 26 Sep 2014 11:50:54 +0000 (UTC)
Received: from insomnia.benzedrine.cx (localhost [127.0.0.1])
by insomnia.benzedrine.cx (8.14.6/8.14.5) with ESMTP id s8QBMEs2008832
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
Fri, 26 Sep 2014 13:22:14 +0200 (MEST)
Received: (from dhartmei@localhost)
by insomnia.benzedrine.cx (8.14.6/8.14.5/Submit) id s8QBMDij012900;
Fri, 26 Sep 2014 13:22:13 +0200 (MEST)
Date: Fri, 26 Sep 2014 13:22:13 +0200
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Laszlo Danielisz <laszlo.danielisz@yahoo.com>
Subject: Re: referer filtering
Message-ID: <20140926112213.GA18108@insomnia.benzedrine.cx>
References: <1411669441.95769.YahooMailNeo@web160705.mail.bf1.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1411669441.95769.YahooMailNeo@web160705.mail.bf1.yahoo.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>;
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Sep 2014 11:50:55 -0000
On Thu, Sep 25, 2014 at 11:24:01AM -0700, Laszlo Danielisz via freebsd-pf wrote:
> I was wondering how is possible to accept a connection, lets say on port 80 only if it comes from a specified referer.
> Let's say there is a link on server A (IP 1.1.1.1) pointing to server B (IP 2.2.2.2). And server B will only accept the connection if it was sent by A.
You mean filtering based on a HTTP Referer: header?
pf doesn't work on that layer at all.
Technically, B has to accept the client's connection and read the HTTP
request (for the Referer: header) to make its decision. It can produce
an error (or redirect) or close the connection, but "not accepting the
connection" is impossible.
You'd have to do this at the application layer, e.g. Apache has modules
that allow access control based on HTTP headers[1], or use a HTTP proxy
like squid (pf can assist redirecting to it).
Also note that the referer header isn't always reliable, as it can be
faked easily[2].
HTH,
Daniel
[1] http://www.uiowa.edu/server/manual/mod/mod_access_referer.html#motivation
[2] http://www.stardrifter.org/refcontrol/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1411702883.12303.YahooMailNeo>