Date: Wed, 13 Jul 2005 10:43:51 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: alex-bsd <alex-bsd@yandex.ru> Cc: freebsd-pf@freebsd.org Subject: Re: PF & BLOCK MP3 (AVI) Message-ID: <20050713084351.GA20314@insomnia.benzedrine.cx> In-Reply-To: <42D102E0.000001.03838@ariel.yandex.ru> References: <42D102E0.000001.03838@ariel.yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jul 10, 2005 at 03:13:36PM +0400, alex-bsd wrote: > P.S. It is insulting, that I has answered a question only my compatriot, and developers led by Daniel Hartmeier it have ignored: (. I'm a little tired of repeating my opinion on payload filtering in pf. The short version is that I don't see how it can be done reliably and I don't believe there is any packet-level solution that actually works as people think it does. We can do a little bet: you set up a web server that's open on port 80, and serves some document containing a secret. Then you set up iptables (or any other packet-level filter, but no userland proxy) in front of it that tries to deny access to that particular document only (through the payload filtering feature, keeping the port open, so that other documents can be retrieved). Then you publish the IP address and the protected URL, and allow us to play with it. If I can't retrieve the document, I promise to learn how the feature was successfully implemented and implement it for you in pf. However, if I can retrieve it, you paypal me $500 and publicly admit that the feature is stupid (if you believe it's a flaw in one implementation but not in the concept itself, we can repeat the procedure with as many implementation as you like). Deal? Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050713084351.GA20314>