[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf with any l7 patches or ability?



Hi,
Quoting Nick Buraglio <[email protected]>:
> I'm looking for anyone that knows of a bsd project that does something 
> similar to to the Linux Layer 7 filter project.  Details found here: 
> http://l7-filter.sourceforge.net/  I'm more or less hoping that someone 
> has a *BSD project that can classify packets based on application data 
> in the connections they belong to or that there is a patch for pf to do 
> this.  Is there anything in the works that anyone knows of?
If you read the recent archives of ths list, you could see that 'official' PF
devs (Daniel, Henning) don't want work on data payload inspection (bad
performances to do things like that in kernel space....).
In my opinion, classify packets based on application data is a (very) bad idea
for security. If you decide to block or accept packet with rule only based on
app data and a too simple grammar for classification, it's too easy to fake your
ruleset.
Exemple : 
- pass in on $EXT from any to POP3_SERVER app POP3 ('app' is a new keyword for
classification based on app data)
- the grammar for POP3 protocol of L7-filter project
- by sending a packet with payload 'pop3', your packet is accepted even if it's
not a packet for POP3 exchange
A++ Foxy
-- 
Laurent Cheylus <[email protected]> OpenPGP ID 0x5B766EC2