Thank you Daniel!
On Friday, September 26, 2014 1:51 PM, Daniel Hartmeier <dan...@benzedrine.cx> wrote: On Thu, Sep 25, 2014 at 11:24:01AM -0700, Laszlo Danielisz via freebsd-pf wrote: > I was wondering how is possible to accept a connection, lets say on port 80 > only if it comes from a specified referer. > Let's say there is a link on server A (IP 1.1.1.1) pointing to server B (IP > 2.2.2.2). And server B will only accept the connection if it was sent by A. You mean filtering based on a HTTP Referer: header? pf doesn't work on that layer at all. Technically, B has to accept the client's connection and read the HTTP request (for the Referer: header) to make its decision. It can produce an error (or redirect) or close the connection, but "not accepting the connection" is impossible. You'd have to do this at the application layer, e.g. Apache has modules that allow access control based on HTTP headers[1], or use a HTTP proxy like squid (pf can assist redirecting to it). Also note that the referer header isn't always reliable, as it can be faked easily[2]. HTH, Daniel [1] http://www.uiowa.edu/server/manual/mod/mod_access_referer.html#motivation [2] http://www.stardrifter.org/refcontrol/ _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org" _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
