Graham Wheeler wrote
>
> Ah, but a stateful filter can also block content (not by removing it,
> but simply by renaming the tags in the packets, for example by changing
> the first character). It's harder to do, as the data stream isn't
> necessarily in-order, but it's been done.
a filter can do anything, but development cost is considerable.
parsing non contiguous kernel memory buffers is a lot of pain and is
a source of bugs.
actually, the difference between a filter and a proxy is not that one
is kernel based (or stack based) and the other user based, since any
functionality
that may coded in user-land may be coded in kernel-heaven and vice-versa.
the difference is between current implementations of these beats, and are
justified
by practical considerations and philosophical choices....
> It's actually a lot easier to `filter' active content by renaming than
> by actually removing it. I wrote the code in our application proxy that
> removes such content, and it was quite a challenge. I kicked myself
> afterwards when I realised I could have just used renaming.
The problem with the renaming approach is that the user can set up a proxy
that replaces any
unknown tag by say <script> or </script> (alternatively and depending on
context...).
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
