Thank you, I got the point. Yes, my patch is intended for some simple case only, when writing a program for filtering is a little bit overkill. I understand that there is no silver bullet, and, of course, separate proxy app is needed in complex cases. Well, there are reasons having both rdr-to and relayd(8). ;)
2010/6/13, Damien Miller <[email protected]>: > On Sun, 13 Jun 2010, Vadim Zhukov wrote: > >> No, no, it's me who is excluding this way. :) Moving packets through >> userland and reimplementing states in the app is not the simpliest, >> most reliable and - last but not least - fastest way, IMHO. Please >> prove me if I'm wrong. > > Well, in a sense, proxying is the most reliable in that it ensures that > there is no exploitable ambiguity of interpretation between the inspector > and the receiver of traffic. This is well described in Ptacek and Newsham's > "Insertion, Evasion, and Denial of Service: Eluding Network Intrustion > Detection"[1]. > > AFAIK you patch doesn't seem to deal with the trivial case of where the > data to inspect spans more than one packet so it isn't reliable even with > non-adverserial traffic. > > The fact that doing this right is exceedingly difficult is why it doesn't > exist in PF already. > > -d > > [1] http://www.icir.org/vern/Ptacek-Newsham-Evasion-98.ps > -- -- WBR, Vadim Zhukov
