On Wednesday 09 November 2005 15:52, Cesar wrote: > An interesting thing in iptables is that option to match strings, like this > example: > > iptables -A FORWARD -p TCP -m string --string "BitTorrent protocol" -j > REJECT --reject-with tcp-reset > iptables -A FORWARD -p TCP -m string --string "GET /announce" -j > REJECT --reject-with tcp-reset > > Did anyone wrote a similar patch to ipfw? or ... Is this something > desirable to ipfw which the developers will put in the future?
As Oliver pointed out, this is not a good idea. If you still want to do it, why don't you hook a filter into a divert socket? It's certainly *not* a good idea to bloat IPFW (or any other general purpose packet filter) with a generally useless feature like this - if you think you need something special you can either do it in the userland (via divert or bpf) or you could just do an idependent pfil(9) consumer module, finally there is netgraph. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpyfP4eRexv7.pgp
Description: PGP signature
