> I want to pass DCE's portmap-equiv (called epmapper) so I plug
> the xxx port. I've restricted DCE to a range of ports (3000-4000)
> and I need to place 1000 plug-gw's ???
A shortcoming in the Berkeley socket interface. It's hard to wait on
more than one port from a given process. If anyone has ideas for how
to handle that cleanly I'd be interested in adding that to plugdaemon.
> Performance still is an issue. At work we POUND a couple production
> services. I fill up a high powered machine running plug-gw ? Makes no
> sense when I can't justify that plug-gw is any more of a benefit than
> a simple filtering rule on a filter device that costs 1/2 what my
> plug-gw servers (n+1 for fail-over/redundancy) cost.
A simple filtering rule will let through fragment attacks, stealth scans,
and so on. Complex filtering rules are harder to get right.
> Actually, I'd like to have a packet filter that would let me
> do some "scripting" of what the data payload should look like :-)
Hmmmm. Sounds like a job for Tcl.
Follow-Ups:
References:
|
|
