On Sat, 6 Oct 2001, Rick Green wrote:
I, too, would like to know how to go about creating such a filter using iptables. The ZoneAlarm package for Windows filters based on program name for outgoing connections, but I have not seen anything short of a sniffer or tcpdump that will look at the packet content itself. I can't even imagine the processor overhead required to parse the content of every outgoing packet!
iptables/ipchains doesn't have the ability to look into packets, so it can't really be used for this. I quizzed him about it yesterday. The packet filter provided by zeroknowledge (which runs on the windows box) has the capabilities to look into the packets and match against regular expressions provided by the operator, and that was the one that lit up when he started media player. On the BSD firewall, he's using BPF (Berkeley Packet Filter), which bounces packets through a user-supplied filtering program. The user-supplied filtering program, in this case, is a ten-line "main" routine plus a parser created by lex (flex, to linux systems). The parser is a routine called yylex, which efficiently implements a search for any of the regular expressions provided by the operator. So, it's not actually protocol-parsing, but it is looking for packets that contain regular expressions he's provided, which include such things as program names, passwords, email addresses, etc. Obviously there is overhead, but the outgoing packets stream is quite small compared to the incoming packet stream, and he says it's not a problem. Ray Dillinger