Date: Fri, 28 Apr 2006 15:26:52 -0400 From: Corey Smith <csmith@bonddesk.com> To: Daniel Walker <dwalker@zbi.com> Cc: ipfw@freebsd.org, vladone <vladone@spaingsm.com> Subject: Re: IPTABLES to IPFW for Packet Inspection Filtering Message-ID: <44526C7C.10208@bonddesk.com> In-Reply-To: <OFBD7BBE12.3AD0268B-ON8525715E.005548F1-8525715E.00561E4E@zbi.com> References: <OFBD7BBE12.3AD0268B-ON8525715E.005548F1-8525715E.00561E4E@zbi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Daniel Walker wrote: > IPTABLES allows for string matching. IPFW does not. I'll > have to fire up my Ubuntu to do this. > This has been brought up before on this list. IPFW does not intend on ever supporting string matching as a standard feature. The developers feel that this kind of expensive operation does not belong in the kernel with IPFW. This does not mean that this functionality is impossible to do with IPFW/freebsd. AFAIK String match deny processing should be done using divert(4) sockets like natd. You use IPFW to divert outgoing DNS requests to your natd-like (userland) process. This process determines whether or not it contains your string and blocks the request/response if it does. Unfortunately I'm not aware of a userland app that does this today. -Corey Smith
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44526C7C.10208>