[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Theo P. Zourzouvillys wrote: > On Friday 24 October 2003 1:19 am, Paul Weaver wrote: > >>Long story semi-short, is there an iptables style thingee that can drop >>packets based on their application layer content? Sure but that isn't a layer 7 proxy. Layer seven proxies reassemble, check and recreate the data, in some cases stateful type inspections may be good enough, but for XML it gets hideous I suspect. What do you do if the later packets don't close tags opened in the earlier ones? Squid handles HTTP, HTTPS, FTP. Check out delegate.org and try Googling for "application level gateway". > Nothing readily avalible for what you need, but easy to write using iptables > contrack API. If they genuinely want a layer 7 proxy, why not just write one in Perl? Java may be a better choice for once, as the parser is probaby guaranteed to be a bit more robust. If all it is doing is inspecting XML and pass it on to a remote machine, or does this proxy allow them to filter on the basis of the content of the XML? There are several start ups flogging XML firewalls, although I thought the whole point of XML was it was easy to parse safely, so is it the content they want to filter? I assume this is all SOAP driven which is usually bound to http requests, so you might check what sort of stuff SQUID and friends can do already with HTTP. Also kick Nick Kew if you want an answer from someone who knows, as he has been involved in proxies that manipulate HTML in complex ways, so probably knows a thing or two that may be relevant. -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/mWaWGFXfHI9FVgYRAsOVAJ4w5AXXJSpmbPFlCb7mCNl2xUAwmQCdEuCb UQhGLGuzWG8cPlOgypGFMWc= =1r63 -----END PGP SIGNATURE----- -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.