* Kostas Zorbadelos <kzo...@otenet.gr> [2012-06-09 18:02]: > Henning Brauer <lists-open...@bsws.de> writes: > > string matching to more or less random packets' payload in the kernel? > > that is beyond insane. > I am interested to know if this has caused problems in IPtables' > setups. It sounds dangerous, however Linux systems provide the > capability. I guess they have thought about consequences and hopefully > somehow addressed them.
your guess is wrong... they might have been lucky so far, or not, I don't follow all the itables bugs. > > the proper solution is a small userland helper process, using divert-to > > and maybe socket splicing. > I am not sure we are talking about the same thing (you must have an > implementation clearly in your mind ;-) ), but > my feeling for a proper way to address this problem is via a > userland application in a proxy or intercepting mode. This could filter > the offending traffic and give to the nameserver the rest to > service. that is pretty much what it comes down to, tho writing these proxies is very easy these days, using the techniques i mentioned above. > I think you also talk about this (correct me if I am wrong). The main > problem with it is that it needs to be developed :) right. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
