regex match in ipfw rule?
Bill Fumerola
billf at FreeBSD.org
Wed Sep 10 12:39:29 PDT 2003
On Tue, Sep 09, 2003 at 10:43:16PM -0400, Don Bowman wrote:
> has anyone ever considered adding a regular
> expression match type to ipfw? it seems like
> this might be very useful. To be efficient,
> and anchored, I guess it would need to
> be available for both IP and TCP and perhaps
> other protocols (e.g. ip payload, tcp payload).
>
> This could be used to match e.g. code-red style
> worms.
there are several problems with doing this..
1) you have to dig deep into the packet, which we already sorta do for
l4 rules, but we don't get into the actual payload.
2) you have to reassemble frags(!), otherwise someone can just frag a
packet to slip it through
3) regexp is going to be slow
> one barrier is that there is not currently regex
> support in kernel, but pcre could probably be
> compiled for it.
bpf rules would be easier, but for things like code red it would still
suffer from the reassembly problem.
--
- bill fumerola / fumerola at yahoo-inc.com / billf at FreeBSD.org
More information about the freebsd-ipfw
mailing list