Am Mon, 2003-08-18 um 22.13 schrieb SBlaze: > To Ralf, the netfilter team, and the whole of the OS community > > How am I supposed to proxy apache? Why should I have to? Is it not a firewalls > job to protect a system(and LAN behind it)? This is a very valid form of > protection I'm asking for here. You sure are correct in pointing out that firewalls are supposed to protect a system and maybe a LAN behind it. You have to remember (or read up on) that there are basically 3 different technologies available to technically implement a firewall: 1. Packetfilter like netfilter and ipchains 2. Circuit Relays like socks 3. Application level gateways like fwtk All three work on different network layers and have access to different information. Basically a packet filter has only access to the headers of the IP packet (yes, I know that netfilter has the string match), but they cannot reassemble the whole datastream and base their decision on it (at least not yet). This means, that a packetfilter cannot find the destination email address in an smtp data stream. It just does not have the intelligence built in. A circuit relay is a quite dumb proxy that just filters connections but still cannot see inside. An application level gateway is more or less a proxy written for the specific protocol. It cannot access the packet headers anymore but it sees the data stream. It can understand and parse the SMTP protocol and filter based on the data send. Now since Netfilter is a packet filter, you do not (and probably will never) have the possibility to filter based on domains but only on IP addresses. If your domains use two different IP addresses it is easy to redirect because netfilter can access the IP header holding the information. By the way, even commercial packet filters like Checkpoint use a proxy for this functionality. Cheers, Ralf -- Ralf Spenneberg RHCE, RHCX Book: Intrusion Detection für Linux Server http://www.spenneberg.com IPsec-Howto http://www.ipsec-howto.org Honeynet Project Mirror: http://honeynet.spenneberg.org
