On Thursday 10 November 2005 11:23, Max Laier wrote: > On Wednesday 09 November 2005 15:52, Cesar wrote: > > An interesting thing in iptables is that option to match strings, like > > this example: > > > > iptables -A FORWARD -p TCP -m string --string "BitTorrent protocol" -j > > REJECT --reject-with tcp-reset > > iptables -A FORWARD -p TCP -m string --string "GET /announce" -j > > REJECT --reject-with tcp-reset > > > > Did anyone wrote a similar patch to ipfw? or ... Is this something > > desirable to ipfw which the developers will put in the future? > > As Oliver pointed out, this is not a good idea. If you still want to do > it, why don't you hook a filter into a divert socket? It's certainly *not* > a good idea to bloat IPFW (or any other general purpose packet filter) with > a generally useless feature like this - if you think you need something > special you can either do it in the userland (via divert or bpf) or you > could just do an idependent pfil(9) consumer module, finally there is > netgraph.
snort_inline (ports/security/snort_inline) may also be useful for what you want. -- Darcy Buskermolen Wavefire Technologies Corp. http://www.wavefire.com ph: 250.717.0200 fx: 250.763.1759 _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
