Date: Thu, 10 Nov 2005 11:32:49 -0800 From: Darcy Buskermolen <darcy@wavefire.com> To: freebsd-ipfw@freebsd.org Cc: Max Laier <max@love2party.net>, Cesar <listas@itm.net.br> Subject: Re: String Match Message-ID: <200511101132.49588.darcy@wavefire.com> In-Reply-To: <200511102023.43495.max@love2party.net> References: <002b01c5e53d$38c99d30$f2faa8c0@ironman> <200511102023.43495.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 10 November 2005 11:23, Max Laier wrote: > On Wednesday 09 November 2005 15:52, Cesar wrote: > > An interesting thing in iptables is that option to match strings, like > > this example: > > > > iptables -A FORWARD -p TCP -m string --string "BitTorrent protocol" -j > > REJECT --reject-with tcp-reset > > iptables -A FORWARD -p TCP -m string --string "GET /announce" -j > > REJECT --reject-with tcp-reset > > > > Did anyone wrote a similar patch to ipfw? or ... Is this something > > desirable to ipfw which the developers will put in the future? > > As Oliver pointed out, this is not a good idea. If you still want to do > it, why don't you hook a filter into a divert socket? It's certainly *not* > a good idea to bloat IPFW (or any other general purpose packet filter) with > a generally useless feature like this - if you think you need something > special you can either do it in the userland (via divert or bpf) or you > could just do an idependent pfil(9) consumer module, finally there is > netgraph. snort_inline (ports/security/snort_inline) may also be useful for what you want. -- Darcy Buskermolen Wavefire Technologies Corp. http://www.wavefire.com ph: 250.717.0200 fx: 250.763.1759
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200511101132.49588.darcy>