On Tuesday 29 June 2004 10:29 am, Marco Colombo wrote:
> Antony Stone wrote:
> >
> > Netfilter works at OSI layers 3 & 4, therefore it can't identify what is
> > HTTP / FTP / DNS etc - it can only guess.
>
> Not completely true, IMHO. conntrack modules look well above the TCP level
> (OSI levels make little sense for the TCP/IP protocol suite, they simply
> don't fit perfectly) otherwise they won't work. ip_conntrack_ftp does look
> at the FTP protocol, and is able to recognise incoming (data) connections
> as RELATED to the control one.
I agree with what you say, however the connection tracking helper modules such
as ip_conntrack_ftp look at such specific and restricted parts of the
application layer data that I wouldn't say they "work at that layer" in the
same sense that a proper proxy system does, for example.
> But I don't know how to use such knowledge
> to detect FTP running on non-stardard ports, particularly in matching a
> rule.
Indeed, because that's not what netfilter's knowledge of the application layer
is for. There is also a "string" match within netfilter, which does look
(completely generically) inside the payload of the packet, however it has
sufficient restrictions and caveats regarding its effective use that again I
would no consider this to mean that netfilter effectively "works" at the
application layer.
Regards,
Antony.
--
Bill Gates has personally assured the Spanish Academy that he will never allow
the upside-down question mark to disappear from Microsoft word-processing
programs, which must be reassuring for millions of Spanish-speaking people,
though just a piddling afterthought as far as he's concerned.
- Lynne Truss, "Eats, Shoots and Leaves"
Please reply to the list;
please don't CC me.
