[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fully transparent ftp-proxy?



On Wed, Oct 30, 2002 at 08:46:19PM -0700, [email protected] wrote:
> Though I hate to make performance-based arguments without any code
> to make an evaluation on, I have to say this makes me feel uneasy.
> 
> It seems to me the only time the filter would NOT have to search the embryonic
> state table is:
> 
> 1) If an existing state is matched
> 2) If the entire embryonic rule list is empty.
> 
> So basically, every potentially state-creating packet is going to have
> to traverse this list. Sure, you can use skip steps to minimize the
> cost of the traversal, but this still seems like a hell of a hit.
This was the argument that led me to the 'dynamic rules' proposal
I had written about earlier. That is, the ability to use skip
steps when creating these states. The proposal also solved some
of the security implications by handing the control over to the
administrator.
 
> And though I like the idea of rule templates, I can't help but wonder
> if we can't achieve the same thing (limiting what kind of rules a
> proxy can insert) just by some well-thought-out "block [in/out] quick
> uid foo-proxy" rules (assuming the proxy's dynamic rules are added at
> the end.)
And this is the exact argument that led to its refusal :)
No, i am not pushing the 'dynamic rules' argument all over again.
I am convinced that the concept is not useful in real-life *sigh*.
I just could not resist pointing out the similarities and what the
embryonic-states concept could lead to. The concept is cool, but the
overhead is too high, compared to its usefulness.
Can