From owner-freebsd-pf@FreeBSD.ORG Wed Jul 20 18:02:46 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD84E16A41F for ; Wed, 20 Jul 2005 18:02:45 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix4-2.free.fr (postfix4-2.free.fr [213.228.0.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56B8F43D49 for ; Wed, 20 Jul 2005 18:02:45 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-2.free.fr (Postfix) with ESMTP id C43E2323371; Wed, 20 Jul 2005 20:02:43 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 27BDB405B; Wed, 20 Jul 2005 20:02:33 +0200 (CEST) Date: Wed, 20 Jul 2005 20:02:33 +0200 From: Jeremie Le Hen To: alex-bsd Message-ID: <20050720180233.GW39292@obiwan.tataz.chchile.org> References: <42DE87CD.000002.18833@mfront7.yandex.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42DE87CD.000002.18833@mfront7.yandex.ru> User-Agent: Mutt/1.5.9i Cc: freebsd-pf@freebsd.org Subject: Re: PF & BLOCK MP3 (AVI) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2005 18:02:46 -0000 Hi Alex, > I not absolutely understand, how we can play with Daniel. > In the work I do not use Linux. > Many my friends use Linux as gateway. > Presence this function in IPTABLES is very convenient for them. > This function IPTABLES is used by them enough for a long time, any > problems connected with use of this opportunity at them was not observed. > > The filtration mp3 files is used for economy of the traffic. > Many managers and secretaries use Internet only for downloading mp3 > and avi :) > > Check of a content is done by them only on the internal interface > (check inquiry of the client) > > Whether will be dangerous DoS attacks if check of a content will be used > ONLY on the local interface? > I doubt that the secretary will start to attack gateway:) You clearly don't understand this topic very well in regard of what you are saying. - Blocking packets containing the string ".mp3" will block HTTP and DNS requests, this is partly true. But this will also block the webpage that are speaking of the MP3 format without providing MP3 files to download ; this will also block mails that contains the string ".mp3" which means that your users won't be able to exchange private mails speaking of MP3s. There may be some cookies or hash values used in a dynamic website containing the string ".mp3" too, this would prevent you and your users from using them optimally, dropping unexpected random packets in this case. Furthermore, you should now that most AVIs and MP3s are downloaded with P2P, so you should block P2P instead. This is done by only enabling a few authorized ports to go through your firewall (HTTP, DNS, ...). - Firewalls actually only look at packet header which is in worst case less that 100 bytes. With a MTU of 1500 bytes, making the firewall look the whole packet will *obviously* decrease performance a lot. While Linux used to have everything and most crazy things available as kernel patches spread all over the web, BSD used to implement only neat and efficient solutions. The NetFilter ``string'' match is not what we can call a neat and efficient solution (see above). - Finally, to emphasize the fact that you don't know what you are talking about, filtering on the internal interface won't change things for two reasons : * All traffic from your LAN to the internet and inversely will go through your firewall anyway. * If you were clever enough, you would use your ``string'' match at the bottom of your rules to optimize performances. Even if you are redirecting some ports on you internal network, whether the packet will be drop or not won't make the difference since the whole packet content will be scanned anyway. So please, stop pissing us off now, and go use Linux. If you still want to use FreeBSD, please learn to understand want people are telling you and stop felling that you know everything better than others : when the firewall developper himself tells you that an idea is foolish, there are very good chances that this idea is foolish. Sorry for being rude, but you went too far this time. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >