Hi folks, BLeonhardt@analytek.de wrote:
I'm looking for possibility to look into the data with ip-tables. not proxies or anything - proxies are too slow ... imho
then you are wrong imho, its alot about configuration. using the string filtering in iptables is possible, but this will eat speed as a proxy will. looking at commercial products like GeNUGate the use of proxies is quite common. on a GeNUGate (basically an intel bsd system) every connection goes over a proxy and its not slow. also its considered wise to seperate packet filtering and application level gateways. i guess thats just blahblah of security guys, well.
if somebody is interested of the definition of Stateful Inspection I could send you a Sheet by Checkpoint ( they developed stateful inspection ) where exactly is defined what stateful inspection is - and what it does.
So Checkpoint has the patent on whats statefull an what is not ;)? btw. filtering *single* packets based on strings that are contained with in is not statefull, and has nothing to do with statefullness, since only this packet is inspected. If you would drop/disallow a connection based on keywords, this would be statefull. Ooops thats what a proxy/application level filter does for you :) another issue (and im not sure about this, somebody with more knowledge is invited to jump in): if you drop *single* packets out of a stream of packets, what happens? lets say you drop the third packet because it matches the keyword. would the sender not try to resend the packet because he gets no ACK for it? And based on the implementation try to resend it again until it times out? This would result in increased network traffic? peace, Tom