Christopher Zarcone wrote:
> I suppose I should clarify what I said:
> Historically I have come to understand "packet filtering" as screening based on
> IP-level and transport level information. With such limited information, you
> can't determine with certainty the application-level service; you can only make
> a best guess.
True enough.
>
>
> Of course, if you have a more advanced packet filter, you could arbitrarily
> examine any or all bits in the entire packet. At that point, though, you're
> basically performing application-level analysis, and incurring the performance
> penalty, so why not use a proxy?
You're not necessarily incurring the performance penalty, though. If you're doing
this in the kernel,
you're not incurring the overhead of (at least) two context switches per UDP
datagram or TCP
message. Generally, I'm not an advocate of putting stuff like this in the kernel,
but on a special
purpose box I'm willing to make an exception.
begin: vcard
fn: Mike Jones
n: Jones;Mike
org: Unified Technologies
email;internet: mike .
jones @
unifiedtech .
com
title: Senior Technology Advisor
x-mozilla-cpt: ;0
x-mozilla-html: TRUE
version: 2.1
end: vcard
References:
|
|
