Date: Sun, 30 Apr 2006 18:56:56 +0200 From: Paolo Pisati <p.pisati@oltrelinux.com> To: Corey Smith <csmith@bonddesk.com> Cc: ipfw@freebsd.org Subject: Re: IPTABLES to IPFW for Packet Inspection Filtering Message-ID: <20060430165656.GA49262@tin.it> In-Reply-To: <44526C7C.10208@bonddesk.com> References: <OFBD7BBE12.3AD0268B-ON8525715E.005548F1-8525715E.00561E4E@zbi.com> <44526C7C.10208@bonddesk.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Apr 28, 2006 at 03:26:52PM -0400, Corey Smith wrote: > Daniel Walker wrote: > >IPTABLES allows for string matching. IPFW does not. I'll > >have to fire up my Ubuntu to do this. > > > This has been brought up before on this list. IPFW does not intend on > ever supporting string matching as a standard feature. The developers > feel that this kind of expensive operation does not belong in the kernel > with IPFW. > > This does not mean that this functionality is impossible to do with > IPFW/freebsd. > > AFAIK String match deny processing should be done using divert(4) > sockets like natd. You use IPFW to divert outgoing DNS requests to your > natd-like (userland) process. This process determines whether or not it > contains your string and blocks the request/response if it does. > > Unfortunately I'm not aware of a userland app that does this today. maybe this functionality could be developed entirely as a libalias module, in that case it will work out of the box for user and kernel land code linked against libalias: natd, ppp, ipfw and ng_nat. The only drawback is that such functionality doesn't belong to libalias at all, so as long as we don't want to turn it into something different, it's not going to happen... -- Paolo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060430165656.GA49262>