Re: linux robust?can build application layer firewall on linux?

From: Walter Mautner (nownews.10.eatallspam_at_spamgourmet.com)
Date: 09/10/04


Date: Fri, 10 Sep 2004 07:34:08 +0200

Jeroen Geilman wrote:

> Walter Mautner wrote:
>
>> What (the heck) is a application layer firewall?
>
> A firewall that operates at the top ("application") layers of the OSI or
> TCP/IP stacks, respectively.
>
That would be an application level gateway or proxy?
 
>> You think of the "personal desktop firewalls" for windows?
>
> No, he isn't.
>
....
> What you are calling a "firewall is a firewall is a firewall" (sic) is
> actually a /stateful packet filter/.
> It can be /part/ of a firewall, it can even be the only thing *running*
> on the firewall, but it is /not/ the only kind of firewall.
>
Hmm, I also thought about (transparent) squid proxy, email and news
gateway/servers like postfix/fetchmail, leafnode running on the firewall
host, if necessary. And blocking direct access to http/pop/imap/smtp from
inside.
But then, new applications using the same protocol won't popup a more or
less warning window, or get logged otherwise, as long as they adhere to the
protocol and correct target ports.
A transparent proxy cannot help against other programs using http access,
or am I really confused?
 
> It isn't even a firewall in and of itself - a stateful packet filter
> only *becomes* a firewall in combination with a /router/.
>
Damned, yes.
 
> An application-layer firewall can certainly distinguish between
> different application-layer protocols, and scan the contents of the
> packets to filter on application protocol content.
> HTTP(S), FTP, SMTP, POP3, IMAP4, SSH are all application protocols.
>
> They are not applications.
>
Well, I falsely interpreted the OP had asked about exactly that feature
which only desktop firewalls running on the same host as the application
can provide (scanning for application program names/md5 checksums to
recognize modified programs). It's no firewall then, rather a spyware
detection/blocking tool. Must have been really confused :)
...
> A proxy likewise does not interact with any application - it interacts
> with network protocols used by applications.
> Which specific application this is (e.g. a web browser) is completely
> irrelevant to the proxy server.
>
>> Even that cannot hinder a application calling home via web across the
>> proxy, or using tunnels.
>
> You are so confused.
>
> That's exactly what a packet filter can and does prohibit.
>
Now tell me, what would you do to protect a LAN from spyware calling home
from the inside across well-known and forwarded/proxied ports using the
proper protocol? I guess it can't be done on the firewall.
Neither can it recognize a tunnel as long as there are no specific patterns
or protocol violations.
It would have to be a content filter, am I wrong again?

-- 
Longhorn error#4711: TCPA / NGSCB VIOLATION: Microsoft optical mouse 
detected penguin patterns on mousepad. Partition scan in progress
 to remove offending incompatible products.  Reactivate your MS software. 
Linux woodpecker.homnet.at 2.6.8reiser4pkt [LinuxCounter#295241]