Hostname-based filtering?
Mike Bristow
mike at urgle.com
Thu Jul 15 10:14:22 BST 2004
On Thu, 2004-07-15 at 09:52, Jonathan Belson wrote:
> Hiya
>
> > This is impossible at the IP, TCP, UDP layers. It is possible at the
> > application layer (read HTTP or SMTP or whatever), but only if the
> > application layer supports it.
>
> It works quite well for something that's impossible :-)
>
> I don't know that much about Borderware kit, but I know that the server I'm
> accessing is connected to one of the auxiliary ports of the Borderware
> firewall. The BW box has been configured to pass certain traffic [1] to
> the auxiliary server when I use a particular hostname. The forwarding
> doesn't occur when I try to access the machine by IP, or via an alias.
Then the firewall "understands" the protocol being spoken (be it
ClearCase evilness, WebDAV, whatever), AND the protocol contains the
hostname it's talking to.
As I said, this is certainly possible with HTTP 1.1 (as the client
sends:
GET /someresource HTTP/1.1
HOST: thismachine.urgle.com
and the firewall can route the request based on the contents of the host
header).
Of course, this is all independent of the port you have apache listening
on; it'll work for:
http://thismachine.urgle.com/someresource
and
http://thismachine.urgle.com:12345/someresource
So in order to answer the original question "can FreeBSD/ipf do this",
the answer is:
for HTTP, yes; other protocols may be possible but you'd need
to say what they are.
Actually, it may be possible to do some tricks with a firewall
integrated with the DNS server, but I can't see how you could make that
reliable, even if you play horrid tricks.
> [1] In this case it's traffic to and from our source code repository, but
> it seems you can do the same trick for any port.
Out of curiosity, what source code repository?
More information about the Ukfreebsd
mailing list