> I have an idea.. Dunno if anyone else has suggested tried or shot it down > previously. I'm not a programmer and as such am not sure if this is even > possible with PF.
This is the approach ipf took. It is fraught with peril. First, PF operates at the IP layer. To watch for these commands in the data stream (and do it right) is to essentially re-implement TCP inside the PF code (think fragments, tcp windows): clearly not desirable. Second, it opens up a whole new class of attacks, whereby you fool the firewall into opening arbitrary ports by getting FTP-looking packets to pass the firewall. This is not particularly far fetched. I can think of many, MANY ways to do it. The only way to avoid these style attacks is to eliminate the code duplication, and rely on the TCP layer to do your reassembly for you. In other words, implement a userland proxy, which is exactly the approach taken in PF. -kj
