On Friday 05 April 2002 05:27, Zygo Blaxell wrote: > In article <[EMAIL PROTECTED]>, > Maciej Soltysiak <[EMAIL PROTECTED]> wrote: > >> > iptables -A INPUT -p tcp -m --mport 80 -m --string "bad" -j DROP > >> What happens here when 'b' and 'ad' are fragmented into two packets? > >You do not get a match, the rule fails :) > Why can't we use a magic protocol rewriter helper to match such strings, > even in fragmented packets? It would seem that if we can rewrite > PORT commands on the fly (changing the lengths of the addresses in the > process to boot!), we should be able to keep the last N bytes of a TCP > connection in memory, and do a strstr on the tail end of it every time > a new packet comes in. This would have all the same problems as a > helped TCP connection, of course (possibly no SACK, for instance).
Hello, NAT helper are written because we have no choice, simply because people want them. But NAT is still very ugly for some protocols, including FTP. The proper way for that kind of protocols _should be_ proxying. Now the thing you explain is perfectly done with sockets in userland, where you can afford to read the whole string, and in userland, you don't even care of the packets, nor paquet queing .. Really, implementing some HTTP commands/URL filtering stuff using the string match would be very insecure. We talked many times on this mailing list about the problems going along with it. Some of them are : NIDS evasion techniques used (using the ascii codes instead of the letters, frag packets, same string contained in the data payload would match and shouldn't, etc...). If you need more info, please refer to the archive. Have a nice day, Fabrice. -- Fabrice MARIE Senior R&D Engineer Celestix Networks http://www.celestix.com/ "Silly hacker, root is for administrators" -Unknown
