Need help have some questions...

Need help have some questions...

[SBlaze]

I've been toying around with the idea of redirecting unwanted traffic to the
discard surface. I'm having trouble understanding some concepts though. Could
anyone please explain this in more detail or perhaps suggest a way to
accomplish this.

On the filter tables using IMPUT there is no way to change or alter the
destination of packets and cause them to be sent to another port?

Using the POSTROUTING chain in the nat table is impoosible to effectively
filter traffic via specific matches due to the fact that POSTROUTED packets are
sort of "lumped together" for lack of a better way to explain it?

If anyone can answer these I would MOST appreciate it as it is really causing
me alot of confusion.

Thanks
s-blaze

=====
"Winky is not knowing how sir, winky is not knowing how?" -=Winky / Harry Potter and the Goblet of Fire=-"

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Re: Need help have some questions...

[Ralf Spenneberg]

Hi,

Am Fre, 2003-08-15 um 11.29 schrieb SBlaze:
> I've been toying around with the idea of redirecting unwanted traffic to the
> discard surface. I'm having trouble understanding some concepts though. Could
> anyone please explain this in more detail or perhaps suggest a way to
> accomplish this.
> 
> On the filter tables using IMPUT there is no way to change or alter the
> destination of packets and cause them to be sent to another port?
No. You cannot change the source or destination in the filter table. Use
the nat table for this. In the nat table you can change the source
(POSTROUTING) and the destination (PREROUTING, OUTPUT)

> 
> Using the POSTROUTING chain in the nat table is impoosible to effectively
> filter traffic via specific matches due to the fact that POSTROUTED packets are
> sort of "lumped together" for lack of a better way to explain it?
You want the PREROUTING chain since you want to redirect (change the
destination).

And yes, when using NAT you only see the first packet of each connection
in the nat table. All other packets are automatically natted
identically.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

Re: Need help have some questions...

[SBlaze]

Just as I suspected. This is not good news for what I would like to do. Why is
it that iptables does not allow "fowarding" on the imput line? Is it becuase
the filter table is not capable of this?

I have been able to succesfully PREROUTE the service I wanted with a redirect
line. However this is only HALF the implimentation I need...

Given the fact that matches are almost always useless in PREROUTING. Since only
the first packet is examined(I'm fairly certain that what I need to check for
is not in that first packet). I would like to propose a question to the
netfilter community(seeing as I am at a complete loss for a soloution here).

How can I sepperate requests to a machine by a matched string? Once this is
done how can I then direct certain requests one way and certain request another
way(doesn't need to be another IP but does need to be another port)?

I will post what I have been testing with and perhaps everyone else out there
can help me build and actually bring about a soloution.

#iptables -A INPUT -p tcp -m string --string ".exe" -j LOG --log-prefix "CODE
RED "
#iptables -A INPUT -p tcp -m string --string ".exe" -j REJECT --reject-with
tcp-reset

In the begining I tested these lines. The desired effect was nice! I could both
log and reject connections. The downside to this is it causes kernel panics.
NOT ACCEPTABLE!

# Works
#iptables -t nat -A PREROUTING -p tcp --dport 81 -j REDIRECT --to-ports 80
# Does not work!
#iptables -t nat -A PREROUTING -p tcp --dport 81 -m string --string "exe" -j
REDIRECT --to-ports 80

Keeping in mind that these rules are for complete testing and not pratical use,
I used them to see if the REDIRECT worked and it does. However the string
matching does not.(Leading me to believe what I need to match is not in the
first packet.)

Someone out there must know a way to work around this and it would be most
handy for more than just me if this technique could be implimented.


Thanks so much to Ralf Spenneberg for answering the first mail. I hope others
and him can help me resolve this issue. IT'S PLAUGING MY THOUGHTS!!!!

SBlaze



--- Ralf Spenneberg <lists@spenneberg.org> wrote:
> Hi,
> 
> Am Fre, 2003-08-15 um 11.29 schrieb SBlaze:
> > I've been toying around with the idea of redirecting unwanted traffic to
> the
> > discard surface. I'm having trouble understanding some concepts though.
> Could
> > anyone please explain this in more detail or perhaps suggest a way to
> > accomplish this.
> > 
> > On the filter tables using IMPUT there is no way to change or alter the
> > destination of packets and cause them to be sent to another port?
> No. You cannot change the source or destination in the filter table. Use
> the nat table for this. In the nat table you can change the source
> (POSTROUTING) and the destination (PREROUTING, OUTPUT)
> 
> > 
> > Using the POSTROUTING chain in the nat table is impoosible to effectively
> > filter traffic via specific matches due to the fact that POSTROUTED packets
> are
> > sort of "lumped together" for lack of a better way to explain it?
> You want the PREROUTING chain since you want to redirect (change the
> destination).
> 
> And yes, when using NAT you only see the first packet of each connection
> in the nat table. All other packets are automatically natted
> identically.
> 
> Cheers,
> 
> Ralf
> -- 
> Ralf Spenneberg
> RHCE, RHCX
> 
> Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
> IPsec-Howto				     http://www.ipsec-howto.org
> Honeynet Project Mirror:                     http://honeynet.spenneberg.org


=====
"Winky is not knowing how sir, winky is not knowing how?" -=Winky / Harry Potter and the Goblet of Fire=-"

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Re: Need help have some questions...

[SBlaze]

To Ralf, the netfilter team, and the whole of the OS community

How am I supposed to proxy apache? Why should I have to? Is it not a firewalls
job to protect a system(and LAN behind it)? This is a very valid form of
protection I'm asking for here.

A more detailed explanation of what I need is this and I know I'm not alone in
this as I have been corresponding with people who want the very same thing(cc
if ya our there lemme hear ya..post up with me here.)

Anyone who runs apache and logs(which is EVERYONE who runs apache unless they
are brain dead or don't care about security) is constantly BOMBARDED DAILY with
CODE/RED and NIMDA(and I'm sure other types of invalid requests they would like
to protect against).

Knowing this... and knowing that the discard service is a very nice and clean
way to sort of send things like this to the great packet /dev/null , I do not
think it is too much to ask that iptables provide me a way to keep those
invalid requests AWAY from my web server. I should be able to route packets to
the discard service without having to use the NAT table(although if that was
even an option I would use it.) All my services run on ONE machine NAT should
not be nessecery.

  If this can not be done I would love for someone to give me a half technical
half lamen's terms explanation. I honestly don't think I'm asking so much of
the  iptables firewall that I should have to go proxying things and
circumventing things here and there.

Much Respect to the netfilter team and the OS Community
SBlaze



--- Ralf Spenneberg <lists@spenneberg.org> wrote:
> Am Sam, 2003-08-16 um 00.09 schrieb SBlaze:
> > How can I sepperate requests to a machine by a matched string? Once this is
> > done how can I then direct certain requests one way and certain request
> another
> > way(doesn't need to be another IP but does need to be another port)?
> Use a proxy.  They were made for application filtering.
> 
> Cheers,
> 
> Ralf
> -- 
> Ralf Spenneberg
> RHCE, RHCX
> 
> Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
> IPsec-Howto				     http://www.ipsec-howto.org
> Honeynet Project Mirror:                     http://honeynet.spenneberg.org


=====
"Winky is not knowing how sir, winky is not knowing how?" -=Winky / Harry Potter and the Goblet of Fire=-"

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Re: Need help have some questions...

[Ramin Dousti]

On Mon, Aug 18, 2003 at 01:13:33PM -0700, SBlaze wrote:

> To Ralf, the netfilter team, and the whole of the OS community
> 
> How am I supposed to proxy apache? Why should I have to? Is it not a firewalls
> job to protect a system(and LAN behind it)? This is a very valid form of
> protection I'm asking for here.

First of all, cool down. Secondly, read up on layered model of networking
and try to understand, each layer and its functionality, like, IP is meant
for routing, TCP is meant for reliable end to end communication and HTTP
is meant for retrieval of the hyper text (and images and audio and video...).

Once you get there, you'll understand the goals of netfilter and the layer(s)
it's supposed to function upon. However, there have been some adhoc 
developements here and there by means of different (pom) modules which have
extended the borders of what netfilter can/should do like the "string" module.
But when you get to the bits and bytes of how things work you would realize
that, eg, the "string" module kills your system by its extensive scan of
the packets. It does not know that an "invalid" HTTP request happens at the
very beginning of the HTTP communication after a "GET" command... And again
because of some technical issues like fragmentation (which can be found in the
readings you've already done) this "string" module is not bullet-proof for
catching the HTTP requests you don't like.

What Ralf mentioned earlier is absolutely valid. If you want to filter based
on an application specific property (eg, "Get cmd.exe", or whatever the M$
hacks look like) then you need to make use of a filter at the application
level. In this case, a process which terminates the HTTP dialog, looks for
(in)valid requests and acts upon it accordingly.

This is a .02$ explanation you asked for.

Ramin

Re: Need help have some questions...

[Wallwork, Nathan]

On Mon, 18 Aug 2003, SBlaze wrote:
> How am I supposed to proxy apache? Why should I have to? Is it not a firewalls
> job to protect a system(and LAN behind it)? This is a very valid form of
> protection I'm asking for here.

You are asking for a different sort of protection than what firewalls are 
generally expected to provide.


> Anyone who runs apache and logs(which is EVERYONE who runs apache unless they
> are brain dead or don't care about security) is constantly BOMBARDED DAILY with
> CODE/RED and NIMDA(and I'm sure other types of invalid requests they would like
> to protect against).

Yeah, so what?  Apache can handle that.  You can configure Apache to discard 
those requests without filling up your log files, if that's the concern.
You can run a proxy to deal with it.  You have plenty of options.


>   If this can not be done I would love for someone to give me a half technical
> half lamen's terms explanation. I honestly don't think I'm asking so much of
> the  iptables firewall that I should have to go proxying things and
> circumventing things here and there.

Rejecting packets based on source or destination or port number or a number of 
other things is easy.  Building an awareness of the HTTP protocol into the 
kernel modules so that netfilter can parse an HTTP conversation isn't 
appropriate.  Inspecting lots of packets is better handled outside the kernel.

IP, TCP, UDP, and ICMP are all low-level protcols. 

HTTP is a high-level protocol.

Rejecting based on content is more appropriately handled by a user-level tool 
which is designed to handle the specific user-level protocol involved, in this
case an HTTP proxy would be a good choice.

Re: Need help have some questions...

[Ralf Spenneberg]

Am Mon, 2003-08-18 um 22.13 schrieb SBlaze:
> To Ralf, the netfilter team, and the whole of the OS community
> 
> How am I supposed to proxy apache? Why should I have to? Is it not a firewalls
> job to protect a system(and LAN behind it)? This is a very valid form of
> protection I'm asking for here.
You sure are correct in pointing out that firewalls are supposed to
protect a system and maybe a LAN behind it. 
You have to remember (or read up on) that there are basically 3
different technologies available to technically implement a firewall:
1. Packetfilter like netfilter and ipchains
2. Circuit Relays like socks
3. Application level gateways like fwtk

All three work on different network layers and have access to different
information. 
Basically a packet filter has only access to the headers of the IP
packet (yes, I know that netfilter has the string match), but they
cannot reassemble the whole datastream and base their decision on it (at
least not yet). This means, that a packetfilter cannot find the
destination email address in an smtp data stream. It just does not have
the intelligence built in. 

A circuit relay is a quite dumb proxy that just filters connections but
still cannot see inside.

An application level gateway is more or less a proxy written for the
specific protocol. It cannot access the packet headers anymore but it
sees the data stream. It can understand and parse the SMTP protocol and
filter based on the data send.

Now since Netfilter is a packet filter, you do not (and probably will
never) have the possibility to filter based on domains but only on IP
addresses.
If your domains use two different IP addresses it is easy to redirect
because netfilter can access the IP header holding the information.

By the way, even commercial packet filters like Checkpoint use a proxy
for this functionality. 

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

Re: Need help have some questions...

[Frank Smith]

--On Monday, August 18, 2003 13:13:33 -0700 SBlaze <dagent.geo@yahoo.com> wrote:

> To Ralf, the netfilter team, and the whole of the OS community
> 
> How am I supposed to proxy apache? Why should I have to? Is it not a firewalls
> job to protect a system(and LAN behind it)? This is a very valid form of
> protection I'm asking for here.
> 
> A more detailed explanation of what I need is this and I know I'm not alone in
> this as I have been corresponding with people who want the very same thing(cc
> if ya our there lemme hear ya..post up with me here.)
> 
> Anyone who runs apache and logs(which is EVERYONE who runs apache unless they
> are brain dead or don't care about security) is constantly BOMBARDED DAILY with
> CODE/RED and NIMDA(and I'm sure other types of invalid requests they would like
> to protect against).

'Bombarded' is a relative term.  On a busy site they aren't even noticable
unless you're looking for them.

> Knowing this... and knowing that the discard service is a very nice and clean
> way to sort of send things like this to the great packet /dev/null , I do not
> think it is too much to ask that iptables provide me a way to keep those
> invalid requests AWAY from my web server. I should be able to route packets to
> the discard service without having to use the NAT table(although if that was
> even an option I would use it.) All my services run on ONE machine NAT should
> not be nessecery.
> 
>   If this can not be done I would love for someone to give me a half technical
> half lamen's terms explanation. I honestly don't think I'm asking so much of
> the  iptables firewall that I should have to go proxying things and
> circumventing things here and there.

You might want to take a look at http://www.securityfocus.com/infocus/1553
It's about IDS signatures, but it shows the complexity of the problem of
string-matching URLs due to path obuscation and character encoding, and
doesn't even mention that the URL could possibly be spread over fragmented
packets.
   Even with plain URL's, string matching takes time and CPU, increasing
the latency through your firewall.  You could probably do what you want
by shunting your port 80 packets to userspace and filtering it there.
   A proxy really is the best tool for the job, it already has everything
you need and is  well-optimized for the task.

Frank

> 
> Much Respect to the netfilter team and the OS Community
> SBlaze
> 

-- 
Frank Smith                                      fsmith@hoovers.com
Systems Administrator                           Voice: 512-374-4673
Hoover's Online                                   Fax: 512-374-4501

Re: Need help have some questions...

[SBlaze]

Going to try to fit all my comments for this thread into one email and hope
everyone reads. Here we go.

First off I would like to say a big thanks to Ralf and Ramin. They gave really
good explanations that I needed to see why this hasn't been addressed. While I
still would like to see this kind of functionality in iptables I can see why it
is not.

To those stressing that it would be too much on the CPU and memory I have to
wonder how valid this is. I know it would certainly increase the load but I do
not believe it would overload most systems.

Ralf made some really good points. He says I should use a proxy. Ok so how do I
go about proxying my two web sites that are hosted with apache? Honestly I'm
not being sacrastic I really don't know. Going along with what Ramin says is
the third level of a fully implemented firewall(the application level) am I to
assume then that it is then to fall to a proxy(I again don't know what sort of
proxy I need here...not sure squid is what I need) or I would really like to
ask should it fall to apache(if so anyone know of how to define what apache
logs?)

A question to Ralf about the second lawyer of a firewall. Is a circut relay
also known as a bridge?

Also a question to Ramin. You make note in that last post of basically dealing
with the HTTP protocol on the HTTP application level.... are you referreing to
web server(apache) ?

Thanks to all who are helping out. I see a soloution coming about. With a
little more help I and some others I know may get there.

Thanks
SBlaze

=====
"Winky is not knowing how sir, winky is not knowing how?" -=Winky / Harry Potter and the Goblet of Fire=-"

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Re: Need help have some questions...

[Ramin Dousti]

On Sat, Aug 23, 2003 at 01:51:58PM -0700, SBlaze wrote:

> A question to Ralf about the second lawyer of a firewall. Is a circut relay
> also known as a bridge?

In general:

layer 1 -> repeater
layer 2 -> bridge
layer 3 -> router

Now, what does the circuit relay do? Does it just amplify the signal? Or does
it terminate, reconstruct and forward the information?


> 
> Also a question to Ramin. You make note in that last post of basically dealing
> with the HTTP protocol on the HTTP application level.... are you referreing to
> web server(apache) ?

No. What I said is: Filtering based on the specifics of an application is best
done by a specialized module which knows enough about that particular protocol.

Ramin

> 
> Thanks to all who are helping out. I see a soloution coming about. With a
> little more help I and some others I know may get there.
> 
> Thanks
> SBlaze
> 
> =====
> "Winky is not knowing how sir, winky is not knowing how?" -=Winky / Harry Potter and the Goblet of Fire=-"
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com

Re: Need help have some questions...

[Ralf Spenneberg]

Am Sam, 2003-08-23 um 22.51 schrieb SBlaze:
> Ralf made some really good points. He says I should use a proxy. Ok so how do I
> go about proxying my two web sites that are hosted with apache? Honestly I'm
> not being sacrastic I really don't know. Going along with what Ramin says is
> the third level of a fully implemented firewall(the application level) am I to
> assume then that it is then to fall to a proxy(I again don't know what sort of
> proxy I need here...not sure squid is what I need) or I would really like to
> ask should it fall to apache(if so anyone know of how to define what apache
> logs?)
Apache can serve as a webserver and as a proxy. You can serve one site
while proxying the other.
> 
> A question to Ralf about the second lawyer of a firewall. Is a circut relay
> also known as a bridge?
No. A curcuit relay is something like a very dumb proxy. 
> 
> Also a question to Ramin. You make note in that last post of basically dealing
> with the HTTP protocol on the HTTP application level.... are you referreing to
> web server(apache) ?
Probably yes. see above.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

Re: Need help have some questions...

[SBlaze]

--- Ramin Dousti <ramin@cannon.eng.us.uu.net> wrote:
> On Sat, Aug 23, 2003 at 01:51:58PM -0700, SBlaze wrote:
> 
> > A question to Ralf about the second lawyer of a firewall. Is a circut relay
> > also known as a bridge?
> 
> In general:
> 
> layer 1 -> repeater
> layer 2 -> bridge
> layer 3 -> router
> 
> Now, what does the circuit relay do? Does it just amplify the signal? Or does
> it terminate, reconstruct and forward the information?
> 
Ralf seems to disagree that the second layer is a bridge... I never though of a
bridge as a dumb proxy...but thats essentially what it is right?? Anyway this
isn't really the focus of what I want to know... 
> > 
> > Also a question to Ramin. You make note in that last post of basically
> dealing
> > with the HTTP protocol on the HTTP application level.... are you referreing
> to
> > web server(apache) ?
> 
> No. What I said is: Filtering based on the specifics of an application is
> best
> done by a specialized module which knows enough about that particular
> protocol.
> 
> Ramin

So if I understand what Ramen is saying. It is possible to do this with a
module  that could be loaded into iptables. Aside from the CPU argument is
there any other reason why this isn't being done? It seems to come up time and
time again.

> > 
> > Thanks to all who are helping out. I see a soloution coming about. With a
> > little more help I and some others I know may get there.
> > 
> > Thanks
> > SBlaze

Again no one really shed any light on what I'm supposed to do here. What proxy
am I supposed to use? Everyone is saying use a proxy but no one is giving any
specifics as to what kind or what software?.

Thanks
SBlaze


=====
"Winky is not knowing how sir, winky is not knowing how?" -=Winky / Harry Potter and the Goblet of Fire=-"

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Re: Need help have some questions...

[Ralf Spenneberg]

Am Mon, 2003-08-25 um 22.05 schrieb SBlaze:
> > Now, what does the circuit relay do? Does it just amplify the signal? Or does
> > it terminate, reconstruct and forward the information?
> > 
> Ralf seems to disagree that the second layer is a bridge... I never though of a
> bridge as a dumb proxy...but thats essentially what it is right?? Anyway this
> isn't really the focus of what I want to know... 
Circuit Relay operates on Application layer. A typical circuit relay is
socks. It just forwards connections.

> So if I understand what Ramen is saying. It is possible to do this with a
> module  that could be loaded into iptables. Aside from the CPU argument is
> there any other reason why this isn't being done? It seems to come up time and
> time again.
> 
You could, if you would write the module. But this is better done in
userspace. 
> > > 
> Again no one really shed any light on what I'm supposed to do here. What proxy
> am I supposed to use? Everyone is saying use a proxy but no one is giving any
> specifics as to what kind or what software?.
Sure, I did: Use Apache. Apache can work as a webserver for you on your
Linux box and at the same time as a proxy for the Windows box.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

Re: Need help have some questions...

[SBlaze]

--- Ralf Spenneberg <lists@spenneberg.org> wrote:
> Am Mon, 2003-08-25 um 22.05 schrieb SBlaze:
> > > Now, what does the circuit relay do? Does it just amplify the signal? Or
> does
> > > it terminate, reconstruct and forward the information?
> > > 
> > Ralf seems to disagree that the second layer is a bridge... I never though
> of a
> > bridge as a dumb proxy...but thats essentially what it is right?? Anyway
> this
> > isn't really the focus of what I want to know... 
> Circuit Relay operates on Application layer. A typical circuit relay is
> socks. It just forwards connections.
> 
> > So if I understand what Ramen is saying. It is possible to do this with a
> > module  that could be loaded into iptables. Aside from the CPU argument is
> > there any other reason why this isn't being done? It seems to come up time
> and
> > time again.
> > 
> You could, if you would write the module. But this is better done in
> userspace. 
> > > > 
> > Again no one really shed any light on what I'm supposed to do here. What
> proxy
> > am I supposed to use? Everyone is saying use a proxy but no one is giving
> any
> > specifics as to what kind or what software?.
> Sure, I did: Use Apache. Apache can work as a webserver for you on your
> Linux box and at the same time as a proxy for the Windows box.
> 

Currently I am using Apache and I have two sites vhosted on it. The only sort
thing I really use my windows box for is web browsing/multimedia that sort...it
has no services available to the world. So thats whats confusing me is that
everyone says use a proxy but I don't see how using a proxy can stop those
unwanted requests. I'm trying to stop certain requests from reaching my web
server which is my router/firewall/web/file server. So how is a proxy supposed
to help in this case? Everyone says it is but I just don't know much about
"proxying" or proxying soloutions for that matter

Thanks alot
SBlaze


> Cheers,
> 
> Ralf
> -- 
> Ralf Spenneberg
> RHCE, RHCX
> 
> Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
> IPsec-Howto				     http://www.ipsec-howto.org
> Honeynet Project Mirror:                     http://honeynet.spenneberg.org


=====
"Winky is not knowing how sir, winky is not knowing how?" -=Winky / Harry Potter and the Goblet of Fire=-"

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Re: Need help have some questions...

[Ralf Spenneberg]

Am Mon, 2003-08-25 um 22.39 schrieb SBlaze:

> Currently I am using Apache and I have two sites vhosted on it. The only sort
> thing I really use my windows box for is web browsing/multimedia that sort...it
> has no services available to the world. So thats whats confusing me is that
> everyone says use a proxy but I don't see how using a proxy can stop those
> unwanted requests. I'm trying to stop certain requests from reaching my web
> server which is my router/firewall/web/file server. So how is a proxy supposed
> to help in this case? Everyone says it is but I just don't know much about
> "proxying" or proxying soloutions for that matter
Oh, that i might not remember your original post correctly. Lets see ...
Well, yeah you are right, you never said you wanted to redirect but just
reject. Ok, my fault.
Then you could just put a proxy in between. Run your Apache on 8080 and
run a reverse proxy like apache or squid on 80. But I doubt, that you
would be happy with it, because it will eat up resources. 
Make a long thread short:
There is no good way to do it on one machine. Since you are using Apache
and not IIS, you will be fine. If the log messages annoy you, bad luck.
This is just life if you don't filter the request first using a proxy.

Cheers,

Ralf

-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

Re: Need help have some questions...

[Ramin Dousti]

On Mon, Aug 25, 2003 at 10:30:28PM +0200, Ralf Spenneberg wrote:

> Circuit Relay operates on Application layer. A typical circuit relay is
> socks. It just forwards connections.

OK. I think we were talking about apples and oranges here. What you call
a "Circuit Relay" is just an "Application Gateway" and has nothing to do
with circuits ;-) I must keep up with the new jargon, I guess...

But, having all these terminologies (which mostly is just a marketing
attempt to make things more interesting) confuses me, when I read emails
saying a "Circuit Relay" is a "bridge" or a "dumb proxy".

Let's just call things uniquely what they are... We're not trying to sell
something here, are we?

Ramin

Re: Need help have some questions...

[Ramin Dousti]

On Mon, Aug 25, 2003 at 10:57:05PM +0200, Ralf Spenneberg wrote:

> Oh, that i might not remember your original post correctly. Lets see ...
> Well, yeah you are right, you never said you wanted to redirect but just
> reject. Ok, my fault.
> Then you could just put a proxy in between. Run your Apache on 8080 and
> run a reverse proxy like apache or squid on 80. But I doubt, that you
> would be happy with it, because it will eat up resources. 
> Make a long thread short:
> There is no good way to do it on one machine. Since you are using Apache
> and not IIS, you will be fine. If the log messages annoy you, bad luck.
> This is just life if you don't filter the request first using a proxy.

OK. If SBalze is running apache, why not using the powerful rewrite rules
of "the great" apache to keep the bad guys away? No need for a
"circuit relay" ;) or a "dumb bridge" ;)

Ramin

> Cheers,
> 
> Ralf

Re: Need help have some questions...

[SBlaze]

--- Ramin Dousti <ramin@cannon.eng.us.uu.net> wrote:
> On Mon, Aug 25, 2003 at 10:57:05PM +0200, Ralf Spenneberg wrote:
> 
> > Oh, that i might not remember your original post correctly. Lets see ...
> > Well, yeah you are right, you never said you wanted to redirect but just
> > reject. Ok, my fault.
> > Then you could just put a proxy in between. Run your Apache on 8080 and
> > run a reverse proxy like apache or squid on 80. But I doubt, that you
> > would be happy with it, because it will eat up resources. 
> > Make a long thread short:
> > There is no good way to do it on one machine. Since you are using Apache
> > and not IIS, you will be fine. If the log messages annoy you, bad luck.
> > This is just life if you don't filter the request first using a proxy.
> 
> OK. If SBalze is running apache, why not using the powerful rewrite rules
> of "the great" apache to keep the bad guys away? No need for a
> "circuit relay" ;) or a "dumb bridge" ;)
> 
> Ramin
> 
> > Cheers,
> > 
> > Ralf
> 
What are these rewrite rules you are talking about? I have never heard of such.
What do they do? How do they work?

SBlaze

=====
"Winky is not knowing how sir, winky is not knowing how?" -=Winky / Harry Potter and the Goblet of Fire=-"

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Re: Need help have some questions...

[Ramin Dousti]

On Mon, Aug 25, 2003 at 03:53:09PM -0700, SBlaze wrote:

> > OK. If SBalze is running apache, why not using the powerful rewrite rules
> > of "the great" apache to keep the bad guys away? No need for a
> > "circuit relay" ;) or a "dumb bridge" ;)
> > 
> > Ramin
> > 
> > > Cheers,
> > > 
> > > Ralf
> > 
> What are these rewrite rules you are talking about? I have never heard of such.

Like already noted by Ralf, if you're running apache on linux you must not fear
about the worms/viruses/... But just to be guarded against the "bad guys"
you can use the rewrite rules in

http://httpd.apache.org/docs/mod/mod_rewrite.html

to do neat stuff like redirecting client's request to a blackhole (if the
client is really a browser). Take a look at the doc. It really is a must
read for people using apache...

Ramin

> What do they do? How do they work?
> 
> SBlaze