From owner-freebsd-ipfw@FreeBSD.ORG  Fri Apr 28 19:27:00 2006
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: ipfw@freebsd.org
Delivered-To: freebsd-ipfw@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F1C5E16A401
	for <ipfw@freebsd.org>; Fri, 28 Apr 2006 19:27:00 +0000 (UTC)
	(envelope-from csmith@bonddesk.com)
Received: from mschsps01.bonddesk.com (mschsps01.bonddesk.com [12.151.231.76])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 66F0D43D49
	for <ipfw@freebsd.org>; Fri, 28 Apr 2006 19:27:00 +0000 (GMT)
	(envelope-from csmith@bonddesk.com)
Received: from mimail.bdg.local ([10.132.16.100]) by chmail.bdg.local with
	Microsoft SMTPSVC(6.0.3790.1830); Fri, 28 Apr 2006 15:26:55 -0400
Received: from [10.133.16.54] ([10.133.16.54] RDNS failed) by mimail.bdg.local
	with Microsoft SMTPSVC(6.0.3790.1830); 
	Fri, 28 Apr 2006 15:26:54 -0400
Message-ID: <44526C7C.10208@bonddesk.com>
Date: Fri, 28 Apr 2006 15:26:52 -0400
From: Corey Smith <csmith@bonddesk.com>
User-Agent: Thunderbird 1.5 (X11/20060419)
MIME-Version: 1.0
To: Daniel Walker <dwalker@zbi.com>
References: <OFBD7BBE12.3AD0268B-ON8525715E.005548F1-8525715E.00561E4E@zbi.com>
In-Reply-To: <OFBD7BBE12.3AD0268B-ON8525715E.005548F1-8525715E.00561E4E@zbi.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 28 Apr 2006 19:26:54.0625 (UTC)
	FILETIME=[B535F110:01C66AF9]
Cc: ipfw@freebsd.org, vladone <vladone@spaingsm.com>
Subject: Re: IPTABLES to IPFW for Packet Inspection Filtering
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Apr 2006 19:27:01 -0000

Daniel Walker wrote:
> IPTABLES allows for string matching.  IPFW does not.  I'll 
> have to fire up my Ubuntu to do this.
>   
This has been brought up before on this list.  IPFW does not intend on 
ever supporting string matching as a standard feature.  The developers 
feel that this kind of expensive operation does not belong in the kernel 
with IPFW.

This does not mean that this functionality is impossible to do with 
IPFW/freebsd.

AFAIK String match deny processing should be done using divert(4) 
sockets like natd.  You use IPFW to divert outgoing DNS requests to your 
natd-like (userland) process.  This process determines whether or not it 
contains your string and blocks the request/response if it does.

Unfortunately I'm not aware of a userland app that does this today.

-Corey Smith