From: Ralf Spenneberg <lists@spenneberg.org>
To: SBlaze <dagent.geo@yahoo.com>
Cc: Netfilter <netfilter@lists.netfilter.org>
Subject: Re: Need help have some questions...
Date: 18 Aug 2003 23:09:52 +0200 [thread overview]
Message-ID: <1061240992.1628.56.camel@kermit> (raw)
In-Reply-To: <20030818201333.57194.qmail@web40202.mail.yahoo.com>
Am Mon, 2003-08-18 um 22.13 schrieb SBlaze:
> To Ralf, the netfilter team, and the whole of the OS community
>
> How am I supposed to proxy apache? Why should I have to? Is it not a firewalls
> job to protect a system(and LAN behind it)? This is a very valid form of
> protection I'm asking for here.
You sure are correct in pointing out that firewalls are supposed to
protect a system and maybe a LAN behind it.
You have to remember (or read up on) that there are basically 3
different technologies available to technically implement a firewall:
1. Packetfilter like netfilter and ipchains
2. Circuit Relays like socks
3. Application level gateways like fwtk
All three work on different network layers and have access to different
information.
Basically a packet filter has only access to the headers of the IP
packet (yes, I know that netfilter has the string match), but they
cannot reassemble the whole datastream and base their decision on it (at
least not yet). This means, that a packetfilter cannot find the
destination email address in an smtp data stream. It just does not have
the intelligence built in.
A circuit relay is a quite dumb proxy that just filters connections but
still cannot see inside.
An application level gateway is more or less a proxy written for the
specific protocol. It cannot access the packet headers anymore but it
sees the data stream. It can understand and parse the SMTP protocol and
filter based on the data send.
Now since Netfilter is a packet filter, you do not (and probably will
never) have the possibility to filter based on domains but only on IP
addresses.
If your domains use two different IP addresses it is easy to redirect
because netfilter can access the IP header holding the information.
By the way, even commercial packet filters like Checkpoint use a proxy
for this functionality.
Cheers,
Ralf
--
Ralf Spenneberg
RHCE, RHCX
Book: Intrusion Detection für Linux Server http://www.spenneberg.com
IPsec-Howto http://www.ipsec-howto.org
Honeynet Project Mirror: http://honeynet.spenneberg.org
next prev parent reply other threads:[~2003-08-18 21:09 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1061192932.1915.10.camel@kermit>
2003-08-18 20:13 ` Need help have some questions SBlaze
2003-08-18 20:52 ` Ramin Dousti
2003-08-23 20:51 ` SBlaze
2003-08-25 3:24 ` Ramin Dousti
2003-08-25 20:05 ` SBlaze
2003-08-25 20:30 ` Ralf Spenneberg
2003-08-25 20:39 ` SBlaze
2003-08-25 20:57 ` Ralf Spenneberg
2003-08-25 22:40 ` Ramin Dousti
2003-08-25 22:53 ` SBlaze
2003-08-25 23:02 ` Ramin Dousti
2003-08-25 22:35 ` Ramin Dousti
2003-08-25 5:54 ` Ralf Spenneberg
2003-08-18 20:53 ` Wallwork, Nathan
2003-08-18 21:09 ` Ralf Spenneberg [this message]
2003-08-18 21:14 ` Frank Smith
2003-08-15 9:29 SBlaze
2003-08-15 10:02 ` Ralf Spenneberg
2003-08-15 22:09 ` SBlaze
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1061240992.1628.56.camel@kermit \
--to=lists@spenneberg.org \
--cc=dagent.geo@yahoo.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox