Re: Dose netfilter can intercept the http method like the GET and POST?

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: Dose netfilter can intercept the http method like the GET and POST?
Date: Sat, 24 Apr 2010 00:35:04 -0500	[thread overview]
Message-ID: <4BD28308.3010302@riverviewtech.net> (raw)
In-Reply-To: <m2w28efc0211004231920o2345ee66w3d39329cc73bad95@mail.gmail.com>

supercodeing35271 supercodeing35271 wrote:
> Hi,i just think about that does netfilter could doing a Application 
> Layer protection. Assume there is a website which the server is 
> Apache/Tomcat,and the browser just submit the http/jsp form which 
> contains a malicious string for SQL or XSS attack.Now the netfilter 
> program in the website server get the string before send to Tomcat 
> and check the string. So does this could be done?And how to do it by 
> netfilter?

NetFilter does have some layer 7 capabilities that can be used to do 
this.  However, it will be difficult (at best?) to do it very well.

I think you would be far better off using some sort of reverse proxy 
that is meant to work at the application layer.  I.e. Squid, or Apache, 
or Nginx, or the likes.

For NetFilter to be able to do what you are wanting, you will have to 
possibly deal with fragmented packets designed to thwart filtering like 
you want to do.

Where as with an application layer gateway / reverse proxy, it will 
receive the request, re-assemble it, run a sanity check on it (against 
rules that you can easily define) and then pass only the valid requests 
on in to your back end web server.

Grant. . . .

     prev parent reply	other threads:[~2010-04-24  5:35 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-04-24  2:20 Dose netfilter can intercept the http method like the GET and POST? supercodeing35271 supercodeing35271
2010-04-24  5:35 ` Grant Taylor [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4BD28308.3010302@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).