On Fri, May 09, 2008 at 10:40:18AM +0530, Srikant Tangirala wrote: > let pf know what to filter and what not? So, is > there some way to ensure that traffic to port 53 > is in fact not from a program like iodine and what > goes to port 80 is only HTTP/HTTPS, and so on > for all the common protocols? With my little bit
you can redirect the outgoing traffic through a pf proxy which understands and enforces the common parts of the protocol. this does not prevent anyone to tunnel something else in the well-defined protocol, like SSH over DNS, but it at least allows to make it a little bit stricter. examples are ftp-proxy(8), tftp-proxy(8), relayd(8) (DNS, HTTP, and more), ... some people also like squid with pf patches from ports; but i'm feeling sorry for them. reyk
