From: Fabrice MARIE <fabrice@netfilter.org>
To: gideon olam <gideon@gideonolam.com>, netfilter-devel@lists.netfilter.org
Subject: Re: Application interface
Date: Tue, 24 Jun 2003 16:33:56 -0400 [thread overview]
Message-ID: <200306241633.56809.fabrice@netfilter.org> (raw)
In-Reply-To: <1056408903.3659.13.camel@skinny.gideonolam.com>
Hello,
On Monday 23 June 2003 18:55, gideon olam wrote:
> Is there an interface or mechanism either in place today or planned for
> the future which allows for application level control? Meaning instead
> of all apps being being allowed to use well known services like http,
> limiting access to a subset of applications?
> I'm interested in Linux's ability to provide some of the personal
> firewall capabilities seen on windows systems. Specific control of
> applications use of the internet becomes important when you are
> combating various types of malware be it spyware, trojans, or viruses.
> While it's true that malware has been slow to spread to the Linux
> platform it is coming, and application controls are an important step
> towards prevention and control.
Netfilter/iptables is merely just a packet filter with some add-on like NAT.
In no case netfilter/iptables will replace application proxies.
The functionality you describe are already provided by various filtering
application proxies: squid, zorp, etc...
Many people had all sorts of ideas to make netfilter become more aware
of the higher level protocols such as HTTP, etc, however most of them
were bad ideas in my opinion. For instance if you try to filter HTTP URLs
using netfilter alone with the string match, you'll run into all sorts of troubles.
What you need in this case is a proper HTTP filtering proxy.
If you need more information about the caveats of _trying_ to turn netfilter
into an application proxy, please check the archive, as this question has
been asked often, and people were told each time that this wasn't the goal
of netfilter.
On the other hand, application proxy already play nice with netfilter on the same machine.
For example, people implement transparent filtering proxies with virus scan
and HTTP URL blocking and stuff like this using netfilter+squid for example. The same
can be done with zorp and others. So I believe the netfilter mechanisms facilitating that
are already in place (REDIRECT,SNAT/DNAT,ULOG to mention just a few...)
Have a nice day,
Fabrice.
--
Fabrice MARIE
"Silly hacker, root is for administrators"
-Unknown
next prev parent reply other threads:[~2003-06-24 20:33 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-06-23 22:55 Application interface gideon olam
2003-06-24 11:28 ` Patrick McHardy
2003-06-24 20:33 ` Fabrice MARIE [this message]
2003-06-24 14:51 ` gideon olam
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200306241633.56809.fabrice@netfilter.org \
--to=fabrice@netfilter.org \
--cc=fabrice@fma.homelinux.com \
--cc=gideon@gideonolam.com \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.