Mailinglist Archive: opensuse-security (274 mails)

< Previous Next >
re: IPTables and filtering Traffic based on
  • From: Thomas Seliger <CRJLJAKTJORB@xxxxxxxxxxxxx>
  • Date: Mon, 25 Aug 2003 14:41:52 +0200
  • Message-id: <3F4A0410.2050103@xxxxxxxxxxxxx>
Hi folks,

BLeonhardt@xxxxxxxxxxx wrote:

I'm looking for possibility to look into the data with ip-tables. not proxies or anything - proxies are too slow ... imho

then you are wrong imho, its alot about configuration. using the string
filtering in iptables is possible, but this will eat speed as a proxy
will. looking at commercial products like GeNUGate the use of proxies is
quite common. on a GeNUGate (basically an intel bsd system) every
connection goes over a proxy and its not slow. also its considered wise
to seperate packet filtering and application level gateways. i guess
thats just blahblah of security guys, well.

if somebody is interested of the definition of Stateful Inspection I
could send you a Sheet by Checkpoint ( they developed stateful
inspection )
where exactly is defined what stateful inspection is - and what it
does.

So Checkpoint has the patent on whats statefull an what is not ;)?

btw. filtering *single* packets based on strings that are contained with in is not statefull, and has nothing to do with statefullness, since only this packet is inspected. If you would drop/disallow a connection based on keywords, this would be statefull. Ooops thats what a proxy/application level filter does for you :)

another issue (and im not sure about this, somebody with more knowledge is invited to jump in):

if you drop *single* packets out of a stream of packets, what happens? lets say you drop the third packet because it matches the keyword. would the sender not try to resend the packet because he gets no ACK for it? And based on the implementation try to resend it again until it times out? This would result in increased network traffic?

peace,
Tom


< Previous Next >
Follow Ups
References