In some mail from Andrew Molitor, sie said:
>
> It is clear on the face of it that uou can implement firewalls
> at lower layers (_vide_ mjr's Ultimate Firewall). I would read the original
> speaker's words as:
>
> You cannot implement a useful and effective firewall system
> without being higher-layer aware.
>
> Note that this presumably does not mean you can't bury the
> code as low level as you like, but just have to snoop on higher layers.
> While the statement under discussion may have been stronger than the
> ones I usually make, there is certainly truth to it.
If I can take that a bit further, to effectively do filtering at lower
layers (network), you have to model what would happen at higher layers,
which goes back to the virtual machine model.
This can introduce problems: I've got a TCP packet, it has some data in it,
but how do I know where abouts that data fits into the entire stream ?
What can be found in current Linux kernels (1.3.84) is a good example of
the wrong way to try and filter TCP data in the kernel (see `IP masquerading'
apps, linux/net/ip_masq_app.c and friends) and is much more suited to
the likes of UDP/ICMP.
UDP/ICMP are much easier to handle; you only have the current packet and
maybe one or two prior which tell you everything about what you should be
doing, although you may have to reassemble some fragments to get the full
picture.
Darren
References:
|
|
