On Thursday 23 May 2002 1:59 pm, [EMAIL PROTECTED] wrote:
> Simon Brooke said:
> >
> > What I'm looking for is an open source (preferably GPL) project to
> > build a proxy-type filter to interwork with netfilter so that
> > packets addressed to selected ports can be buffered until enough
> > information has been read to determine whether or not they are SOAP
> > requests, and then, if they are, to filter them based on content
> > details such as, for example, the XML namespaces declared.
>
> Are you sure you want to do this at the netfilter level. Netfilter
> will allow you to redirect packets through a user space handler but
> that seems ineffiecent if your dealing with volumes of traffic. Why
> not just deal with it at the application level with a proxy type
> solution and leave netfilter out of this particular loop? Maybe there
> is something you could do with squid?
I think I want to do it at user-space-handler-over-netfilter level.
Reason? Suppose we have a network topology like this:
A B C D
| | | |
+-------+---+---+-------+
|
[firewall]
|
+-------+---+---+-------+
| | | |
W X Y Z
We'll suppose A, B, C and D are 'our' hosts, and W, X, Y and Z are
'their' (untrusted) hosts. Furthermore, we know our own network well
enough to know that we can't absolutely guarantee that the user of node
'C', a laptop plugged in on a hot desk, hasn't loaded some godawful
crap onto his machine while at home, and the user of node 'D', an
accountant who fancies himself as a spreadsheet guru, hasn't played
about with the 'web services' bits of the Excel scripting stuff.
Meantime, host 'A' is our accounts department machine, which is allowed
to send and receive billing enquiries via SOAP, and host 'B' is our
warehouse server, which is allowed to send and receive stlock level
enquiries via SOAP.
So some types of SOAP message sent to host 'A' are valid, but all
others should be blocked; and any SOAP messages sent to 'C' and 'D' may
be blocked.
Now I can perfectly easily see that we can require all 'our' hosts to
use a proxy server, and refuse to route outward packets to port 80
unless they come from the proxy server; and I can see how we can route
all inbound packets destined to port 80 to a proxy server. But I don't
see how the proxy server can then discriminate which of our hosts the
message (if allowed) should be routed on to. This may, of course, be
because I'm stupid. If I am, please say so.
So it seems to me that the best thing to do is to get netfilter to hand
off port 80 (or other designated ports) to a user space handler, and
for that user space handler to buffer the requests until it has enough
information to make a block or pass decision.
Yes, I agree that this is going to take some horsepower...
> I've seen it mentioned on a GNU mailing list somewhere. Try checking
> out freshmeat and sourceforge first?
I'd already checked. Sadly, no project on either Freshmeat or
Sourceforge matches both 'Firewall' and 'SOAP'. This may, of course,
mean that I'm beating up the wrong tree.
There is a project called 'proxy' at
<URL: https://sourceforge.net/projects/proxy > which claims to be
'...an IP filtering proxy server for Linux...' and which I'll have a
look at. Anyone know anything about this?
Cheers
Simon
--
[EMAIL PROTECTED] (Simon Brooke) http://www.jasmine.org.uk/~simon/
Morning had broken, and there was nothing we could do but wait
patiently for the RAC to arrive.
