String Match
Oliver Fromme
olli at lurza.secnetix.de
Thu Nov 10 05:58:01 PST 2005
Cesar <listas at itm.net.br> wrote:
> An interesting thing in iptables is that option to match strings, like this
> example:
>
> iptables -A FORWARD -p TCP -m string --string "BitTorrent protocol" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p TCP -m string --string "GET /announce" -j
> REJECT --reject-with tcp-reset
>
> Did anyone wrote a similar patch to ipfw? or ... Is this something desirable
> to ipfw which the developers will put in the future?
I can't think of any real-world examples where string-
matching would be useful and work reliably. The above
examples do not work reliably, because the rules would
also have rejected your email to this mailing list. ;-)
If you want to filter on application level (e.g. certain
HTTP GET commands like the one above), you should do it
in the application (e.g. apache). That's not the job of
a packet filter.
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
"Unix gives you just enough rope to hang yourself --
and then a couple of more feet, just to be sure."
-- Eric Allman
More information about the freebsd-ipfw
mailing list