Christopher Zarcone wrote:
> I suppose I should clarify what I said:
> Historically I have come to understand "packet filtering" as screening based on
> IP-level and transport level information. With such limited information, you
> can't determine with certainty the application-level service; you can only make
> a best guess.
> Of course, if you have a more advanced packet filter, you could arbitrarily
> examine any or all bits in the entire packet. At that point, though, you're
> basically performing application-level analysis, and incurring the performance
> penalty, so why not use a proxy?
You're not necessarily incurring the performance penalty, though. If you're doing
this in the kernel,
you're not incurring the overhead of (at least) two context switches per UDP
datagram or TCP
message. Generally, I'm not an advocate of putting stuff like this in the kernel,
but on a special
purpose box I'm willing to make an exception.
fn: Mike Jones
org: Unified Technologies
email;internet: mike .
title: Senior Technology Advisor