On Sun, 13 Jun 2010, Vadim Zhukov wrote: > No, no, it's me who is excluding this way. :) Moving packets through > userland and reimplementing states in the app is not the simpliest, > most reliable and - last but not least - fastest way, IMHO. Please > prove me if I'm wrong.
Well, in a sense, proxying is the most reliable in that it ensures that there is no exploitable ambiguity of interpretation between the inspector and the receiver of traffic. This is well described in Ptacek and Newsham's "Insertion, Evasion, and Denial of Service: Eluding Network Intrustion Detection"[1]. AFAIK you patch doesn't seem to deal with the trivial case of where the data to inspect spans more than one packet so it isn't reliable even with non-adverserial traffic. The fact that doing this right is exceedingly difficult is why it doesn't exist in PF already. -d [1] http://www.icir.org/vern/Ptacek-Newsham-Evasion-98.ps
