[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf with any l7 patches or ability?
l7 filtering is basically just a buzzword.
you have it since years - it's called "proxy".
what they mean by the new buzzword is integrating the config, and
perhaps doing this in kernel land.
to get an idea why l7 stuff in kernel is a bad bad bad bad idea, look
at ipf - search bugtraq for the problems it had with its in-kernel
or look at netfilter, they've just been bitten by their in-kernel
"connection tracking" for ftp and irc as well. bugtraq is your friend
here too ;-)
I don't believe paketeer or anything else is doing any better. it's
simply a design fault.
On Wed, Nov 05, 2003 at 10:05:36PM -0600, Nick Buraglio wrote:
> I don't necessarily disagree. I had a feeling I was chasing a ghost,
> but I have a need for a packeteer-ish appliance without the price. The
> reason I was looking at openbsd was that I like the bridge code. It
> works well, it's not hard to configure and best of all pf is there.
> The real problem is that in the locations I need to put these
> theoretical devices the owners are too cheap to buy good equipment that
> could perform the job so I search for a hack to do a similar job.
> worst case is that I use linux with the l7 patches. I'd just prefer to
> use a BSD, not necessarily pf, I figured that people on this list may
> have some idea.
> Thanks again.
> On Nov 5, 2003, at 7:51 PM, Laurent Cheylus wrote:
> >Quoting Nick Buraglio <[email protected]>:
> >>I'm looking for anyone that knows of a bsd project that does something
> >>similar to to the Linux Layer 7 filter project. Details found here:
> >>http://l7-filter.sourceforge.net/ I'm more or less hoping that
> >>has a *BSD project that can classify packets based on application data
> >>in the connections they belong to or that there is a patch for pf to
> >>this. Is there anything in the works that anyone knows of?
> >If you read the recent archives of ths list, you could see that
> >'official' PF
> >devs (Daniel, Henning) don't want work on data payload inspection (bad
> >performances to do things like that in kernel space....).
> >In my opinion, classify packets based on application data is a (very)
> >bad idea
> >for security. If you decide to block or accept packet with rule only
> >based on
> >app data and a too simple grammar for classification, it's too easy to
> >fake your
> I don't really want to block or pass, just shape.
> >Exemple :
> >- pass in on $EXT from any to POP3_SERVER app POP3 ('app' is a new
> >keyword for
> >classification based on app data)
> >- the grammar for POP3 protocol of L7-filter project
> >- by sending a packet with payload 'pop3', your packet is accepted
> >even if it's
> >not a packet for POP3 exchange
> >A++ Foxy
> >Laurent Cheylus <[email protected]> OpenPGP ID 0x5B766EC2
Henning Brauer, BS Web Services, http://bsws.de
[email protected] - [email protected]
Unix is very simple, but it takes a genius to understand the simplicity.