From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: moblock
Date: Thu, 25 Sep 2008 11:36:59 -0500 [thread overview]
Message-ID: <48DBBE2B.1070603@riverviewtech.net> (raw)
In-Reply-To: <48DBA637.3020001@gmail.com>
On 09/25/08 09:54, Brent Clark wrote:
> But what I have to do is that I keep having to remind myself is that
> iptables is for layer 3 /4 operation. But then what does layer 7 control?
Keep in mind that IPTables can filter on layers 2, 3, 4, and 7,
depending on how it is used.
> Well it seems to be the way to go, look at other tools like snort
> inline. And also whats interesting is that I see some of the BSD lot use
> / recommend this type of filtering (snort2pf).
I'm not saying that there is any thing wrong with moblock. I just find
it a little odd that we are passing traffic from kernel space to user
space to filter (as I (mis)understood it) by IP, a layer 3 address. So
I guess my question is why not just filter with IPTables on layer 3?
Why pass from kernel space to user space to do the filtering if we don't
have to.
Now, if one of moblock's advantages is that it can take pre-generated
files of IPs to filter and use them directly, then that is a plus. I
would just be more interested in something that could feed those IPs in
to something like an IP Set and do the filtering in kernel space.
It is my (mis)understanding that Snort (and the likes) do a lot more
than simple layer 2 / 3 / 4 / 7 filtering. I.e. they take notice of a
LOT more different things including timing between what is done. In
some ways I look at things like Snort as doing stateful filtering across
multiple layers as a whole rather than each layer individually. There
is also the added advantage that things like Snort tend to be platform
agnostic and thus easier to update where as IPTables / pf / etc are
platform dependent and not portable.
Back to above, I'd be very interested in something that could translate
the guarding.p2p and p2p.p2b files in to something like an IPSet. I
think that would be a wonderful use. Download platform independent
libraries and then translate them in to platform dependent and native in
kernel filtering. Just my $0.02 worth.
Grant. . . .
prev parent reply other threads:[~2008-09-25 16:36 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-25 11:18 moblock Brent Clark
2008-09-25 14:13 ` moblock Grant Taylor
2008-09-25 14:54 ` moblock Brent Clark
2008-09-25 16:36 ` Grant Taylor [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48DBBE2B.1070603@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox