Date: Sun, 10 Jul 2005 13:06:43 +0100 From: "Greg Hennessy" <Greg.Hennessy@nviz.net> To: <freebsd-pf@freebsd.org> Subject: RE: PF & BLOCK MP3 (AVI) Message-ID: <20050710120644.5388B11@gw2.local.net> In-Reply-To: <42D102E0.000001.03838@ariel.yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Indeed, many commercial firewall vendors offer content > inspection in their products because customers want to buy it. > Unfortunately, I do not know similar let and commercial > realizations similar let under BSD, capable to filter content > on FIREWALLS. That's because you havent looked hard enough. > On Linux in IPTABLES it is remarkable works, and I do not see > the global reasons why on BSD in PF it cannot be realized, > even in the form of a patch or something similar?!??! It doesn't 'work' period, pattern matching on a packet by packet basis is a complete waste of time unless the pattern matching algorithms do full reassembly and are application aware. Which is exactly what Content Inspection/Fixups in commercial firewall products do. (some better than others mind you) > P.S. It is insulting, that I has answered a question only my > compatriot, and developers led by Daniel Hartmeier it have ignored: (. That's because running Regex against each packet is a daft idea, a performance killer and a self inflicted DOS attack waiting to happen. 5 minutes googling provides far superior & scalable solutions which can dynamically update PF tables to kill unauthorised traffic. Such as. http://www.snortsam.net/index.html Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050710120644.5388B11>