• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re(2): URL filtering / IP Filter NKE
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re(2): URL filtering / IP Filter NKE

  • Subject: Re(2): URL filtering / IP Filter NKE
  • From: Peter Lovell <email@hidden>
  • Date: Wed, 22 Jun 2011 18:38:21 -0400
On Wed, Jun 22, 2011, Quinn "The Eskimo!" <email@hidden> wrote:

>On 22 Jun 2011, at 11:46, Deena Awate wrote:
>
>> I had tried my hands on option B. Through socket filter I could get
>just the IP address and not the URL.
>
>Well, the URL is not transmitted until the connection is complete, and
>you'd have to grovel through the HTTP header to find it.  But that's not
>different from doing it at the IP layer.
>
>> The error returned from socket filter was informative but I am unable
>to achieve the same through IP filter.
>
>Correct.
>
>> I looked around for synthesising a connection reset, but could not
>find how to do it.
>
>This is just basic TCP.  You will have to send 'back' (that is, up the
>kernel stack, towards the app) a TCP packet that has the RST flag set.


Quinn's right (isn't he always :)

You get the URL but that's not the original request (i.e. what you see in the address bar). The browser makes a dns-lookup request, connects to the IP address it receives, and sends the request without the "www.apple.com" or whatever.

Most browsers these days include that name in the "Host" field in the http request but that's a nice-to-have rather than being definitive.

But the browser doesn't send anything until you let it believe that the connection is complete. So there is a large amount of fakery going on, if you need to see the full http request. To start with, your NKE "gobbles" the connection request and tells the browser that the connection was successful (i.e. you lie). YOu then grab all the contents of the request (there may be several) and analyze it. If you don't want to allow the activity, return html saying "too bad" and give a close to the browser. If it's OK then pull out your gobbled connection request and send it. When the response comes back send the accumulated web request.

If it's acceptable to rely upon the "Host" field then you don't need to track the IP addresses for the connection. Otherwise, you will need to watch all the dns request/responses. The connection request is by IP address so you need to have your own address-to-name table if the name is critically important.

Regards.....Peter

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Re: URL filtering / IP Filter NKE (From: Deena Awate <email@hidden>)
 >Re: URL filtering / IP Filter NKE (From: "Quinn \"The Eskimo!\"" <email@hidden>)

  • Prev by Date: Re: URL filtering / IP Filter NKE
  • Next by Date: Re: URL filtering / IP Filter NKE
  • Previous by thread: Re: URL filtering / IP Filter NKE
  • Next by thread: Re: URL filtering / IP Filter NKE
  • Index(es):
    • Date
    • Thread