Date: Thu, 10 Nov 2005 14:57:58 +0100 (CET) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-ipfw@FreeBSD.ORG Subject: Re: String Match Message-ID: <200511101357.jAADvwWH008434@lurza.secnetix.de> In-Reply-To: <002b01c5e53d$38c99d30$f2faa8c0@ironman>
next in thread | previous in thread | raw e-mail | index | archive | help
Cesar <listas@itm.net.br> wrote: > An interesting thing in iptables is that option to match strings, like this > example: > > iptables -A FORWARD -p TCP -m string --string "BitTorrent protocol" -j > REJECT --reject-with tcp-reset > iptables -A FORWARD -p TCP -m string --string "GET /announce" -j > REJECT --reject-with tcp-reset > > Did anyone wrote a similar patch to ipfw? or ... Is this something desirable > to ipfw which the developers will put in the future? I can't think of any real-world examples where string- matching would be useful and work reliably. The above examples do not work reliably, because the rules would also have rejected your email to this mailing list. ;-) If you want to filter on application level (e.g. certain HTTP GET commands like the one above), you should do it in the application (e.g. apache). That's not the job of a packet filter. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "Unix gives you just enough rope to hang yourself -- and then a couple of more feet, just to be sure." -- Eric Allman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200511101357.jAADvwWH008434>