Re: content-filtering of tcp-ip-packages

Erik Corry (erik@arbat.com)
Sun, 29 Nov 1998 11:57:12 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Martin Mares: "Re: unkown PCI device"
Previous message: Jake Donham: "Re: content-filtering of tcp-ip-packages"
Maybe in reply to: Andreas Schuldei: "content-filtering of tcp-ip-packages"

In article <3660111C.781662ED@uni-bremen.de> you wrote:
> I would like to hack firewall-part of the kernel so that it would not
> let through any java-script or java or activ-x stuff. I think about some
> kind of string recognition for Java-(script) and some recognition of the
> file-name (*.ocx) for activ-X.

See the paper "Blocking Java Applets at the Firewall" by Martin,
Rajagoapalan and Rubin from
http://www.cs.bu.edu/techreports/96-026-java-firewalls.ps.Z

They explain why it is better to do this sort of thing
in app-level proxies than in packet filters (IP packets
are fragmented, proxies see the whole data stream, also
compressed, encrypted, encoded, attached files don't
necessarily contain the magic byte sequences, while
legitimate IP traffic might well). Apparently http-gw
from the TIS toolkit can be configured to block Java, but
as you will see in the article, it's a difficult business.

-- Erik Corry erik@arbat.com Ceterum censeo, Microsoftem esse delendam!

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: Martin Mares: "Re: unkown PCI device"
Previous message: Jake Donham: "Re: content-filtering of tcp-ip-packages"
Maybe in reply to: Andreas Schuldei: "content-filtering of tcp-ip-packages"