String Match
Max Laier
max at love2party.net
Thu Nov 10 11:23:51 PST 2005
On Wednesday 09 November 2005 15:52, Cesar wrote:
> An interesting thing in iptables is that option to match strings, like this
> example:
>
> iptables -A FORWARD -p TCP -m string --string "BitTorrent protocol" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p TCP -m string --string "GET /announce" -j
> REJECT --reject-with tcp-reset
>
> Did anyone wrote a similar patch to ipfw? or ... Is this something
> desirable to ipfw which the developers will put in the future?
As Oliver pointed out, this is not a good idea. If you still want to do it,
why don't you hook a filter into a divert socket? It's certainly *not* a
good idea to bloat IPFW (or any other general purpose packet filter) with a
generally useless feature like this - if you think you need something special
you can either do it in the userland (via divert or bpf) or you could just do
an idependent pfil(9) consumer module, finally there is netgraph.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20051110/5c07f942/attachment.bin
More information about the freebsd-ipfw
mailing list