From: Tom E. <te...@sh...> - 2003-01-28 17:12:50
|
--On Tuesday, January 28, 2003 12:07 PM -0500 Zachariah Mully <zm...@sm...> wrote: > On Tue, 2003-01-28 at 11:58, Steve Postma wrote: >> Is it possible to block packets based on content? I would specifically >> like to block the script kiddies " GET /script/*" packets from reaching >> my webserver. >> Thanks for your time, >> Steve > > Look at the netfilter.org site in the patch-o-matic section. They have > at least one patch, STRING, with will allow you to match a string inside > a whole packet. This is about as close as you're going to get with > iptables, I think, to doing what you want. > I don't recommend that approach (and neither do the folks on the netfilter list). You want to use a Proxy to do content filtering; using STRING matching leaves you open to DOS attacks and STRING is easy to defeat anyway. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ te...@sh... |