Re: content matching on tcp connections...

Definitely! Technically, this can be a very usefull addition to IP Filter,
combining the power of packet filtering with basic content filtering
techniques. Maybe the current code is not mature enough, but having the basics
in place, enables other people to extend it.

Also, from a strategical point of view, now that some market and sales have
"invented" deep packet scanning firewalls, you can safely say that IP Filter
uses these techniques as well ;-)

Frank

Darren Reed wrote:
>
> Long ago (well almost 3 years now), I put some code into IPFilter
> 3.5alpha (became 4.0alpha) that does this:
>
> > #
> > # * = match any character, . = exact match, ? = case insensitive
> > #
> > # Scan for anything that looks like HTTP and redirect it to the local
> > # proxy. One catch - this feature (redirect) is not yet implemented.
> > #
> > http : ("GET ", "???." ) = redirect(127.0.0.1)
> > #
> > # Track ssh connections (i.e do nothing)
> > #
> > ssh : (), ("SSH-") = track
> > #
> > # Things which look like smtp to be tracked else closed.
> > # Client can start with EHLO (ESMTP) or HELO (SMTP).
> > #
> > smtp : ("HELO ", "**??."), ("220 ", "....") = track else close
> > #
> > # Evil napster
> > #
> > nap2 : ("*\0\2\0", "*...") = close
> > nap4 : ("*\0\4\0", "*...") = close
> > nap6 : ("*\0\6\0", "*...") = close
> > nap7 : ("*\0\7\0", "*...") = close
>
> With the above, there are no port numbers mentioned because the connection
> content scanning (I think limited to first 16 bytes or thereabouts) is done
> across _all_ TCP connections that go through IPFilter's state table.
>
> This kind of thing could be used to block out kazaa - completely.
>
> I think I ditched it because I didn't think it would be that useful.
>
> Should I dust this off and let it back in ?
>
> Darren
>