supercodeing35271 supercodeing35271 wrote:
Hi,i just think about that does netfilter could doing a Application Layer protection. Assume there is a website which the server is Apache/Tomcat,and the browser just submit the http/jsp form which contains a malicious string for SQL or XSS attack.Now the netfilter program in the website server get the string before send to Tomcat and check the string. So does this could be done?And how to do it by netfilter?
NetFilter does have some layer 7 capabilities that can be used to do this. However, it will be difficult (at best?) to do it very well.
I think you would be far better off using some sort of reverse proxy that is meant to work at the application layer. I.e. Squid, or Apache, or Nginx, or the likes.
For NetFilter to be able to do what you are wanting, you will have to possibly deal with fragmented packets designed to thwart filtering like you want to do.
Where as with an application layer gateway / reverse proxy, it will receive the request, re-assemble it, run a sanity check on it (against rules that you can easily define) and then pass only the valid requests on in to your back end web server.
Grant. . . . -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
