From owner-freebsd-pf@FreeBSD.ORG Wed Jul 13 08:43:54 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50CE016A41C for ; Wed, 13 Jul 2005 08:43:54 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B8B843D53 for ; Wed, 13 Jul 2005 08:43:53 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j6D8hq5I013331 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 13 Jul 2005 10:43:52 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j6D8hpaP012563; Wed, 13 Jul 2005 10:43:51 +0200 (MEST) Date: Wed, 13 Jul 2005 10:43:51 +0200 From: Daniel Hartmeier To: alex-bsd Message-ID: <20050713084351.GA20314@insomnia.benzedrine.cx> References: <42D102E0.000001.03838@ariel.yandex.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42D102E0.000001.03838@ariel.yandex.ru> User-Agent: Mutt/1.5.6i Cc: freebsd-pf@freebsd.org Subject: Re: PF & BLOCK MP3 (AVI) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2005 08:43:54 -0000 On Sun, Jul 10, 2005 at 03:13:36PM +0400, alex-bsd wrote: > P.S. It is insulting, that I has answered a question only my compatriot, and developers led by Daniel Hartmeier it have ignored: (. I'm a little tired of repeating my opinion on payload filtering in pf. The short version is that I don't see how it can be done reliably and I don't believe there is any packet-level solution that actually works as people think it does. We can do a little bet: you set up a web server that's open on port 80, and serves some document containing a secret. Then you set up iptables (or any other packet-level filter, but no userland proxy) in front of it that tries to deny access to that particular document only (through the payload filtering feature, keeping the port open, so that other documents can be retrieved). Then you publish the IP address and the protected URL, and allow us to play with it. If I can't retrieve the document, I promise to learn how the feature was successfully implemented and implement it for you in pf. However, if I can retrieve it, you paypal me $500 and publicly admit that the feature is stupid (if you believe it's a flaw in one implementation but not in the concept itself, we can repeat the procedure with as many implementation as you like). Deal? Daniel