Re: Content Filtering Firewall in Linux..

On Fri, 2005-08-19 at 06:30 +0200, Andrew Rucker Jones wrote:
> Hrvoje Spoljar wrote:
> > You are looking for layer7 iptables patch.
> > http://l7-filter.sourceforge.net/
>
> No, You're really not. This was made for quality of service and suffers
> the same problems as Netfilter with hex string support. Think about
> this: You create a pattern for l7-filter (or Netfilter with hex strings)
> to look for "sex" and drop it. First You run into the "Essex" problem,
> so You change it to " sex ", but that doesn't block " sex." or " sex!"
[CUT]

If you take another look at the original mail you will realize that
'content' is not very well defined. OP does not say he want's to block
content like sex or something, or does content relate to type of service
or service, but when he mentioned solutions like iptables and such there
is no way to do 'sex' filtering at that level ? ;-) so any type of
content that is worth filtering and recognition at such level is a
layer7 recognition and some good statefull inspection firewall. Yes
layer7 is good partner for implementing smart QoS policies, but also it
is one if not only solution that will help you filter out conections
that use unstandard ports for services that are forbiden by firm policy.


-- 
 ____ __  ___| |  ___   Ignorance is    .~.    hrvoje.spoljar@x.pbf.hr
(_-< '_ \/ _ \ |_/ -_)  bliss, but     / V \   irc # RoCkY 
/__/ .__/\___/__/\___|  knowledge is  /(   )\  icq : 53000945   
  |_|                   power!          ^-^    http://spole.pbf.hr