[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf with any l7 patches or ability?



l7 filtering is basically just a buzzword.
you have it since years - it's called "proxy".
what they mean by the new buzzword is integrating the config, and 
perhaps doing this in kernel land.
to get an idea why l7 stuff in kernel is a bad bad bad bad idea, look 
at ipf - search bugtraq for the problems it had with its in-kernel 
ftp-proxy.
or look at netfilter, they've just been bitten by their in-kernel 
"connection tracking" for ftp and irc as well. bugtraq is your friend 
here too ;-)
I don't believe paketeer or anything else is doing any better. it's 
simply a design fault.
On Wed, Nov 05, 2003 at 10:05:36PM -0600, Nick Buraglio wrote:
> I don't necessarily disagree.  I had a feeling I was chasing a ghost, 
> but I have a need for a packeteer-ish appliance without the price.  The 
> reason I was looking at openbsd was that I like the bridge code.  It 
> works well, it's not hard to configure and best of all pf is there.  
> The real problem is that in the locations I need to put these 
> theoretical devices the owners are too cheap to buy good equipment that 
> could perform the job so I search for a hack to do a similar job.  
> worst case is that I use linux with the l7 patches. I'd just prefer to 
> use a BSD, not necessarily pf, I figured that people on this list may 
> have some idea.
> 
> Thanks again.
> 
> nb
> 
> 
> On Nov 5, 2003, at 7:51 PM, Laurent Cheylus wrote:
> 
> >Hi,
> >
> >Quoting Nick Buraglio <[email protected]>:
> >
> >>I'm looking for anyone that knows of a bsd project that does something
> >>similar to to the Linux Layer 7 filter project.  Details found here:
> >>http://l7-filter.sourceforge.net/  I'm more or less hoping that 
> >>someone
> >>has a *BSD project that can classify packets based on application data
> >>in the connections they belong to or that there is a patch for pf to 
> >>do
> >>this.  Is there anything in the works that anyone knows of?
> >
> >If you read the recent archives of ths list, you could see that 
> >'official' PF
> >devs (Daniel, Henning) don't want work on data payload inspection (bad
> >performances to do things like that in kernel space....).
> >
> >In my opinion, classify packets based on application data is a (very) 
> >bad idea
> >for security. If you decide to block or accept packet with rule only 
> >based on
> >app data and a too simple grammar for classification, it's too easy to 
> >fake your
> >ruleset.
> >
> I don't really want to block or pass, just shape.
> 
> >Exemple :
> >- pass in on $EXT from any to POP3_SERVER app POP3 ('app' is a new 
> >keyword for
> >classification based on app data)
> >- the grammar for POP3 protocol of L7-filter project
> >- by sending a packet with payload 'pop3', your packet is accepted 
> >even if it's
> >not a packet for POP3 exchange
> >
> >A++ Foxy
> >
> >-- 
> >Laurent Cheylus <[email protected]> OpenPGP ID 0x5B766EC2
> >
> 
> 
-- 
Henning Brauer, BS Web Services, http://bsws.de
[email protected] - [email protected]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)