Stateful packet inspection

All of lore.kernel.org
 help / color / mirror / Atom feed

* Stateful packet inspection
@ 2005-03-04 15:42 Maxime Ducharme
  2005-03-04 15:46 ` Michael Tautschnig
  0 siblings, 1 reply; 9+ messages in thread
From: Maxime Ducharme @ 2005-03-04 15:42 UTC (permalink / raw)
  To: netfilter

Hi to the list

I have been asked if iptables support
stateful packet inspection.

i.e. verify if traffic on port 21 is FTP
and not HTTP (correct me if I'm using the wrong
term)

Is there any module or development about this ?

Thanks in advance

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Stateful packet inspection
  2005-03-04 15:42 Stateful packet inspection Maxime Ducharme
@ 2005-03-04 15:46 ` Michael Tautschnig
  2005-03-04 16:03   ` Daniel Lopes
  0 siblings, 1 reply; 9+ messages in thread
From: Michael Tautschnig @ 2005-03-04 15:46 UTC (permalink / raw)
  To: Maxime Ducharme; +Cc: netfilter

>
> I have been asked if iptables support
> stateful packet inspection.
>
> i.e. verify if traffic on port 21 is FTP
> and not HTTP (correct me if I'm using the wrong
> term)
>
> Is there any module or development about this ?
>

http://l7-filter.sourceforge.net/

Regards,
Michael


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Stateful packet inspection
  2005-03-04 15:46 ` Michael Tautschnig
@ 2005-03-04 16:03   ` Daniel Lopes
  2005-03-04 18:45     ` Maxime Ducharme
  0 siblings, 1 reply; 9+ messages in thread
From: Daniel Lopes @ 2005-03-04 16:03 UTC (permalink / raw)
  To: netfilter

Michael Tautschnig schrieb:
>>
>> I have been asked if iptables support
>> stateful packet inspection.
>>
>> i.e. verify if traffic on port 21 is FTP
>> and not HTTP (correct me if I'm using the wrong
>> term)
>>
>> Is there any module or development about this ?
>>
> 
> http://l7-filter.sourceforge.net/
> 
> Regards,
> Michael
> 
> 
I thought SPI means inspecting packets for their state i.e. NEW or 
ESTABLISHED. What you mean is a Layer 7 filter, the link to it was 
posted above ;).


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Stateful packet inspection
  2005-03-04 16:03   ` Daniel Lopes
@ 2005-03-04 18:45     ` Maxime Ducharme
  2005-03-04 18:48       ` Seferovic Edvin
  0 siblings, 1 reply; 9+ messages in thread
From: Maxime Ducharme @ 2005-03-04 18:45 UTC (permalink / raw)
  To: netfilter


Yes I am not sure of the exact word for
"Layer 7 filter"

Someone can confirm this ?

TIA

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

----- Original Message ----- 
From: "Daniel Lopes" <lopsch@lopsch.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, March 04, 2005 11:03 AM
Subject: Re: Stateful packet inspection


> I thought SPI means inspecting packets for their state i.e. NEW or
> ESTABLISHED. What you mean is a Layer 7 filter, the link to it was
> posted above ;).
>



^ permalink raw reply	[flat|nested] 9+ messages in thread

* RE: Stateful packet inspection
  2005-03-04 18:45     ` Maxime Ducharme
@ 2005-03-04 18:48       ` Seferovic Edvin
  0 siblings, 0 replies; 9+ messages in thread
From: Seferovic Edvin @ 2005-03-04 18:48 UTC (permalink / raw)
  To: netfilter

Yes, 

what you are actually looking for is a filter for applications that send
packets through your firewall => so called LAYER 7 FILTER! Why layer 7 - see
OSI Layer model.

Regards,

Edvin Seferovic

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Maxime Ducharme
Sent: Freitag, 04. März 2005 19:45
To: netfilter@lists.netfilter.org
Subject: Re: Stateful packet inspection


Yes I am not sure of the exact word for
"Layer 7 filter"

Someone can confirm this ?

TIA

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

----- Original Message ----- 
From: "Daniel Lopes" <lopsch@lopsch.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, March 04, 2005 11:03 AM
Subject: Re: Stateful packet inspection


> I thought SPI means inspecting packets for their state i.e. NEW or
> ESTABLISHED. What you mean is a Layer 7 filter, the link to it was
> posted above ;).
>





^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Stateful packet inspection
@ 2005-03-04 18:52 Maxime Ducharme
  2005-03-04 22:27 ` R. DuFresne
  0 siblings, 1 reply; 9+ messages in thread
From: Maxime Ducharme @ 2005-03-04 18:52 UTC (permalink / raw)
  To: netfilter


Thanks to all who replied :)

Have a nice day

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

----- Original Message ----- 
From: "Seferovic Edvin" <edvin.seferovic@kolp.at>
To: <netfilter@lists.netfilter.org>
Sent: Friday, March 04, 2005 1:48 PM
Subject: RE: Stateful packet inspection


Yes,

what you are actually looking for is a filter for applications that send
packets through your firewall => so called LAYER 7 FILTER! Why layer 7 - see
OSI Layer model.

Regards,

Edvin Seferovic

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Maxime Ducharme
Sent: Freitag, 04. März 2005 19:45
To: netfilter@lists.netfilter.org
Subject: Re: Stateful packet inspection


Yes I am not sure of the exact word for
"Layer 7 filter"

Someone can confirm this ?

TIA

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

----- Original Message ----- 
From: "Daniel Lopes" <lopsch@lopsch.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, March 04, 2005 11:03 AM
Subject: Re: Stateful packet inspection


> I thought SPI means inspecting packets for their state i.e. NEW or
> ESTABLISHED. What you mean is a Layer 7 filter, the link to it was
> posted above ;).
>



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Stateful packet inspection
  2005-03-04 18:52 Maxime Ducharme
@ 2005-03-04 22:27 ` R. DuFresne
  0 siblings, 0 replies; 9+ messages in thread
From: R. DuFresne @ 2005-03-04 22:27 UTC (permalink / raw)
  To: Maxime Ducharme, Seferovic Edvin; +Cc: netfilter

[-- Attachment #1: Type: TEXT/PLAIN, Size: 2476 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Is that what he;s looking for?  really?  the more I read this the more I 
get the impression he might be talking about an application proxy.  A 
better definition on the information being sought might be in order, 
though, I get the impression that clarification might not be easy here 
<smile>.

And by application proxy, I mean something that does more then merely 
identify the application, but also enforces a 'policy' on the traffic <i.e. 
it understand what is allowed in the transaction and limits traffic to 
that context>.

Thanks,

Ron DuFresne

>
>
> Yes,
>
> what you are actually looking for is a filter for applications that send
> packets through your firewall => so called LAYER 7 FILTER! Why layer 7 - see
> OSI Layer model.
>
> Regards,
>
> Edvin Seferovic
>
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Maxime Ducharme
> Sent: Freitag, 04. März 2005 19:45
> To: netfilter@lists.netfilter.org
> Subject: Re: Stateful packet inspection
>
>
> Yes I am not sure of the exact word for
> "Layer 7 filter"
>
> Someone can confirm this ?
>
> TIA
>
> Maxime Ducharme
> Programmeur / Spécialiste en sécurité réseau
>
> ----- Original Message -----
> From: "Daniel Lopes" <lopsch@lopsch.com>
> To: <netfilter@lists.netfilter.org>
> Sent: Friday, March 04, 2005 11:03 AM
> Subject: Re: Stateful packet inspection
>
>
>> I thought SPI means inspecting packets for their state i.e. NEW or
>> ESTABLISHED. What you mean is a Layer 7 filter, the link to it was
>> posted above ;).
>>
>
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                         -Tom Robins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCKODest+vzJSwZikRAtj+AJsGbvFDX/dInImayYAPgpRMP5us4gCffJL/
yV3dgeJO46t9ecOTSqaOq/E=
=xCIt
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Stateful packet inspection
@ 2011-11-03 18:46 msk
  2011-11-03 19:29 ` Jan Engelhardt
  0 siblings, 1 reply; 9+ messages in thread
From: msk @ 2011-11-03 18:46 UTC (permalink / raw)
  To: netfilter

I'm looking into doing some work that involves an application doing stateful
inspection of packets for a specific application layer protocol.  I can't
tell from the descriptions if "netfilter" or "netfilter-devel" is the right
place to ask, so please feel free to point me at the right list if this is
the wrong one.

The idea is this:

Machine A is connected to the general Internet, acting as a filter or firewall
for machine B.  Machine B provides a well-known Internet service of some
kind but is subject to abuse and needs protection.

Machine A is equipped with a two-port NIC with a fail-open capability, so that
if A is powered off or the software on it crashes, Internet traffic goes
directly to and from B, allowing transparent fail-over.

A connection from outside hits A, which passes it to an application-layer
policy application that does stateful analysis while packets are also
relayed between the Internet and B.  If A decides the session needs to
be aborted for policy reasons, it terminates the relaying to B (so B
thinks the connection was interrupted) and sends an application-specific
permanent error code back to the client.  This means B doesn't know A is
there, and neither does the client, whether the session is allowed to
complete, or is aborted, or A fails.

Does netfilter provide APIs that could accomplish this?  If not, is there
something else that does, or gets me close?

Thanks for any advice!

-MSK

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Stateful packet inspection
  2011-11-03 18:46 msk
@ 2011-11-03 19:29 ` Jan Engelhardt
  0 siblings, 0 replies; 9+ messages in thread
From: Jan Engelhardt @ 2011-11-03 19:29 UTC (permalink / raw)
  To: msk; +Cc: netfilter


On Thursday 2011-11-03 19:46, msk@cloudmark.com wrote:
>
>A connection from outside hits A, which passes it to an application-layer
>policy application that does stateful analysis while packets are also
>relayed between the Internet and B.

- tproxy (squid offers that, for example) using the standard
way of the POSIX socket API,

- nfqueue via libnetfilter_queue library

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2011-11-03 19:29 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-03-04 15:42 Stateful packet inspection Maxime Ducharme
2005-03-04 15:46 ` Michael Tautschnig
2005-03-04 16:03   ` Daniel Lopes
2005-03-04 18:45     ` Maxime Ducharme
2005-03-04 18:48       ` Seferovic Edvin
  -- strict thread matches above, loose matches on Subject: below --
2005-03-04 18:52 Maxime Ducharme
2005-03-04 22:27 ` R. DuFresne
2011-11-03 18:46 msk
2011-11-03 19:29 ` Jan Engelhardt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.