Henning Brauer wrote:

* Julien Bordet <[EMAIL PROTECTED]> [2004-03-01 21:35]:


However, when one does bridge traffic shaping, this is not the same thing
at all : proxifying means that your are not bridging any more, using a IP
address for the bridge, and so on. I really think it is a very dirty
solution. The kernel space solution here is much cleaner, as it is
transparent for the firewall administrator.



you are so wrong.
doing this kind of proxying in-kernel is just plain wrong, and error-prone.


In fact, even if it does not really matter to you in fact, I'm not talking about a kernel "proxy" here. I'm talking about something smart enough to tag packets "related" and so to "pass" them. If we go on with FTP, a piece of code that attach data connexions to the command connexion initiated before. In case of a bridge, I clearly do not need (and do not want !) a proxy, nor NAT support.

don't people read bugtraq?
don't people learn from all the security problems ipf and the linux guys had with their in-kernel proxies?




I do read bugtraq, and yes I'm aware of security problem of ipf and netfilter.

Yet, I'm talking about a feature we need. Bridging with a certain "understanding" of the FTP protocol is clearly needed. And yes FTP is a crappy protocol,. I'm not a I-want-everything-in-the-kernel guy, I 'd like a solution.

Julien



Reply via email to