> I would like to try and enhance the firewall-part of the kernel so that
> it would not
> let through any java-script or java or activ-x stuff. I think about some
> kind of string recognition for Java-(script) and some recognition of the
> file-name (*.ocx) for activ-X.
>
>
> What effort would this take?
Depends on what approach you take (I'll detail possible ways later).
> Is this possible?
Absolutely. There are commercial products which do this already.
> How would you approach
> this topic?
Depends. For ease of development (i.e. something to show relatively
quickly), I'd go for a proxy approach that sends some kind of keep-alive
to the browser to stop it from timing out whilst the proxy downloads and
scans the file via http/ftp, relaying when it's completed.
For ease of use and performance, you could use a routing approach (i.e.
have a linux box as an IP router in between the client(s) and the
server(s)) this would require some kernel support to 'suck' packets from
a specific connection out of the kernel and into userspace. The userspace
process queues and examines packets and the kernel routes as normal until
the final packet of a connection, where, if the connection is disallowed,
a TCP RST is spoofed and sent to both parties.
*ahem* - there may be a patent on the latter approach! :)
Best Regards,
Alex.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/