Re: linux robust?can build application layer firewall on linux?

From: Walter Mautner (
Date: 09/10/04

Date: Fri, 10 Sep 2004 07:34:08 +0200

Jeroen Geilman wrote:

> Walter Mautner wrote:
>> What (the heck) is a application layer firewall?
> A firewall that operates at the top ("application") layers of the OSI or
> TCP/IP stacks, respectively.
That would be an application level gateway or proxy?
>> You think of the "personal desktop firewalls" for windows?
> No, he isn't.
> What you are calling a "firewall is a firewall is a firewall" (sic) is
> actually a /stateful packet filter/.
> It can be /part/ of a firewall, it can even be the only thing *running*
> on the firewall, but it is /not/ the only kind of firewall.
Hmm, I also thought about (transparent) squid proxy, email and news
gateway/servers like postfix/fetchmail, leafnode running on the firewall
host, if necessary. And blocking direct access to http/pop/imap/smtp from
But then, new applications using the same protocol won't popup a more or
less warning window, or get logged otherwise, as long as they adhere to the
protocol and correct target ports.
A transparent proxy cannot help against other programs using http access,
or am I really confused?
> It isn't even a firewall in and of itself - a stateful packet filter
> only *becomes* a firewall in combination with a /router/.
Damned, yes.
> An application-layer firewall can certainly distinguish between
> different application-layer protocols, and scan the contents of the
> packets to filter on application protocol content.
> HTTP(S), FTP, SMTP, POP3, IMAP4, SSH are all application protocols.
> They are not applications.
Well, I falsely interpreted the OP had asked about exactly that feature
which only desktop firewalls running on the same host as the application
can provide (scanning for application program names/md5 checksums to
recognize modified programs). It's no firewall then, rather a spyware
detection/blocking tool. Must have been really confused :)
> A proxy likewise does not interact with any application - it interacts
> with network protocols used by applications.
> Which specific application this is (e.g. a web browser) is completely
> irrelevant to the proxy server.
>> Even that cannot hinder a application calling home via web across the
>> proxy, or using tunnels.
> You are so confused.
> That's exactly what a packet filter can and does prohibit.
Now tell me, what would you do to protect a LAN from spyware calling home
from the inside across well-known and forwarded/proxied ports using the
proper protocol? I guess it can't be done on the firewall.
Neither can it recognize a tunnel as long as there are no specific patterns
or protocol violations.
It would have to be a content filter, am I wrong again?

Longhorn error#4711: TCPA / NGSCB VIOLATION: Microsoft optical mouse 
detected penguin patterns on mousepad. Partition scan in progress
 to remove offending incompatible products.  Reactivate your MS software. 
Linux 2.6.8reiser4pkt [LinuxCounter#295241]

Relevant Pages

  • Re: [fw-wiz] Secure Computing Sidewinder?
    ... We are moving off Sidewinder G2 solely because of the price. ... There are many different approaches to designing a firewall, ... thorough than most other "application proxy" firewalls, ... packet, tear it apart, inspects it, and then depending on the protocol it ...
  • Re: [fw-wiz] How automate firewall tests
    ... Really - the majority of applications out there have no real ... layer 7 level proxy so you have to tackle the problem from other ... protocol, just a feature set driven by a bunch of commands ... that packet-oriented firewalls suck is because they're locked ...
  • Re: [fw-wiz] Stateful Proxying?
    ... A proxy indeed means a stand-between, pretending to be a server to the ... Perhaps we'd like to redefine state and also protocol while we're ... the proxy firewall made the TCP sessions ... >> packet filter and a stateful proxy becomes small indeed. ...
  • Re: linux robust?can build application layer firewall on linux?
    ... No, an application *layer* firewall. ... A proxy can be used as one, yes, but it isn't one by definition. ... > protocol and correct target ports. ... be it by spyware calling home or by legitimate programs. ...
  • RE: [Bulk] Re: Firewalls (was Re: IDS evaluations procedures)
    ... protocol exactly and does not use any unsafe commands in the protocol", ... So there needs to be a finer resolution of "known good" than most proxy ... analysis technology from IDS and adding it to a secondary firewall called an IPS ...