On Thu, Sep 11, 2003 at 12:58:57PM +0200, Ed White wrote: > In the end will have syn-proxy to manage the tcp connection, while > application-proxy talk only with syn-proxy and can change the data, block the > connection or redirect (for example by hostname like apache vhost).
You can already do that with logic in the application filter (http proxy). Let pf do syn proxy in front of the userland http proxy. That means pf will swallow syn floods and only pass fully established connections on to the http proxy. What you seem to want is that the http proxy doesn't immediately open its connection to the real server, but first parses the client's http request, and only opens the connection to the real server when it agrees (dropping the client connection or returning a http error code when it doesn't agree, without bothering the real server at all). This can be done easily within the logic of the http proxy, just write one that doesn't open the real server connection immediately, but parses the the request first. This works for TCP protocols where the client must first send a complete request, and doesn't lead an interactive dialogue with the server (like for smtp or pop3). Or, if that's not what you meant, what did you mean? :) Daniel
