Date: Thu, 25 Sep 2014 20:41:23 -0700 From: Laszlo Danielisz <laszlo.danielisz@yahoo.com> To: Javad Mustafayev <javad@smarty.az>, Laszlo Danielisz via freebsd-pf <freebsd-pf@freebsd.org> Subject: Re: referer filtering Message-ID: <1411702883.12303.YahooMailNeo@web160702.mail.bf1.yahoo.com> In-Reply-To: <20140925194539.18FCDFEE@hub.freebsd.org> References: <20140925194539.18FCDFEE@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you! Isn't this just going to accept traffic on port 80 from A t0 B? pass in log on $ext_if inet proto tcp from $A to $B port 80 keep state I mean customers who would like to connect to $B won't be able. On Thursday, September 25, 2014 9:45 PM, Javad Mustafayev <javad@smarty.az> wrote: Hi, i can suggest config below lets say this config will be on server B's pf.conf. and your network interface of B ip address 2.2.2.2 is bge0 then you can use the following config #pf.conf #macros ext_if="bge0" A="1.1.1.1" B="2.2.2.2" #global options set block-policy return #or you can use drop set skip on lo0 set loginterface $ext_if #optional #all other configurations #here you block all block return in all #or you can use drop :) #and here allow TCP connections on port 80 only from A(1.1.1.1) to B(2.2.2.2) pass in log on $ext_if inet proto tcp from $A to $B port 80 keep state that's all. its so simple configuration file. you can find more advanced and fancy configuration models on the web. but i suggest pf manual ;) good luck. -- •••/ name: Javad Mustafayev title: System Administrator company: Smarty LLC mobile: 00994.51.927.11.99 mail: javad@smarty.az web.mail: j.mustafayev@gmail.com •••/ On Sep 25, 2014 11:24 PM, Laszlo Danielisz via freebsd-pf <freebsd-pf@freebsd.org> wrote: > > Hi, > > I was wondering how is possible to accept a connection, lets say on port 80 only if it comes from a specified referer. > Let's say there is a link on server A (IP 1.1.1.1) pointing to server B (IP 2.2.2.2). And server B will only accept the connection if it was sent by A. > > Any ideas? > > Thx! > Laszlo > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Fri Sep 26 11:50:55 2014 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3F63281B for <freebsd-pf@freebsd.org>; Fri, 26 Sep 2014 11:50:55 +0000 (UTC) Received: from insomnia.benzedrine.cx (106.30.3.213.static.wline.lns.sme.cust.swisscom.ch [213.3.30.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "insomnia.benzedrine.cx", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9E912E10 for <freebsd-pf@freebsd.org>; Fri, 26 Sep 2014 11:50:54 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.14.6/8.14.5) with ESMTP id s8QBMEs2008832 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits%6 verify=NO); Fri, 26 Sep 2014 13:22:14 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.6/8.14.5/Submit) id s8QBMDij012900; Fri, 26 Sep 2014 13:22:13 +0200 (MEST) Date: Fri, 26 Sep 2014 13:22:13 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Laszlo Danielisz <laszlo.danielisz@yahoo.com> Subject: Re: referer filtering Message-ID: <20140926112213.GA18108@insomnia.benzedrine.cx> References: <1411669441.95769.YahooMailNeo@web160705.mail.bf1.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1411669441.95769.YahooMailNeo@web160705.mail.bf1.yahoo.com> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>; List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 26 Sep 2014 11:50:55 -0000 On Thu, Sep 25, 2014 at 11:24:01AM -0700, Laszlo Danielisz via freebsd-pf wrote: > I was wondering how is possible to accept a connection, lets say on port 80 only if it comes from a specified referer. > Let's say there is a link on server A (IP 1.1.1.1) pointing to server B (IP 2.2.2.2). And server B will only accept the connection if it was sent by A. You mean filtering based on a HTTP Referer: header? pf doesn't work on that layer at all. Technically, B has to accept the client's connection and read the HTTP request (for the Referer: header) to make its decision. It can produce an error (or redirect) or close the connection, but "not accepting the connection" is impossible. You'd have to do this at the application layer, e.g. Apache has modules that allow access control based on HTTP headers[1], or use a HTTP proxy like squid (pf can assist redirecting to it). Also note that the referer header isn't always reliable, as it can be faked easily[2]. HTH, Daniel [1] http://www.uiowa.edu/server/manual/mod/mod_access_referer.html#motivation [2] http://www.stardrifter.org/refcontrol/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1411702883.12303.YahooMailNeo>