Re: [SLUG] Looking for a firewall

From: Andrew M Hoerter (amh@pobox.com)
Date: Sat Aug 09 2003 - 12:38:13 EDT


On Sat, 9 Aug 2003 thor_consulting@yahoo.com wrote:

> i don't think this is a good idea - filtering packets based on arbitrary
> strings that is.

For one thing, unless your firewall can buffer TCP connections in memory
(i.e. store packets just as it would to reassemble fragments before
delivery), it's very easy to evade this kind of filtering. Just send the
"evil" string a couple bytes at a time, so each individual packet doesn't
match the payload filter. Or the TCP segments could be sent out of order.
You'd almost have to reimplement TCP in the firewall software to actually
do this right (and I suspect most commercial firewalls do it the stupid
way just so they can have the feature on their list).

UDP is easier but that's not really applicable to HTTP of course.

The original poster may not want an HTTP proxy, but that's really the best
way to enforce these kinds of protocol-level restrictions. If it's the
reconfiguration of clients that's holding you back, proxies can be
transparent.

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:20:45 EDT