Re: iptables anti-nimda anyone?

From: José Luis Domingo López (jdomingo@internautas.org)
Date: 09/23/01 

Date: Sun, 23 Sep 2001 11:46:16 +0000
From: José Luis Domingo López <jdomingo@internautas.org>
To: focus-linux@securityfocus.com
Subject: Re: iptables anti-nimda anyone?
Message-ID: <20010923114616.A1054@dardhal.mired.net>

On Friday, 21 September 2001, at 15:38:33 -0000,
R Dicaire wrote:

> Forwarded From: Sven Michels <smichels@intradat.com>
>
> > if you've patched the kernel with string match support: yes:
> > $IPTABLES -I INPUT -p tcp --dport 80 -m string --string .exe? -m state \
> > --state ESTABLISHED -j REJECT --reject-with tcp-reset
> > (same works wizh .ida for the old one)
>
> Where can this patch be had if its not included with the kernel, or iptables
> src? I can see where having this string filter could be handy.
>
Download the last iptables tar.bz2 fron netfilter.samba.org and read the
included INSTALL. A simple:
make patch-o-matic KERNEL_DIR=<<where-your-kernel-is>>

takes you to an interactive menu where you select which iptables
extensions you want to generate kernel patches for. One of them is match
string, that lets you:

The string patch:
   Author: Emmanuel Roger <winfield@freegates.be>
   Status: Working
   
   This patch adds CONFIG_IP_NF_MATCH_STRING which allows you to
   match a string in a whole packet.
   
   THIS PATCH REQUIRES AT LEAST KERNEL 2.4.9 !!!

Greetings. 

-- 
José Luis Domingo López
Linux Registered User #189436     Debian Linux Woody (P166 64 MB RAM)
 
jdomingo EN internautas PUNTO org  => ¿ Spam ? Atente a las consecuencias
jdomingo AT internautas DOT   org  => Spam at your own risk

Relevant Pages

  • Re: RFC: Using fixed-length strings for version[] and osrelease[]
    ... > I'd say no more than 256 bytes for the VERSION string, ... a new kernel when the patch number is bumped due to a userland-only fix. ... cat << EOF> vers.c ...
    (freebsd-arch)
  • [PATCH] aic7xxx/aicasm build failure w/gcc-3.4.6
    ... kernel builds started failing after I upgraded my compiler from ... the patch will be different. ... yyerror(const char *string) ...
    (Linux-Kernel)
  • compiling iptables userspace complaint
    ... Ultimately I want to build the IPSET extension into iptables. ... It requires a patch to the kernel and iptables. ... To prove that it can be done I am not applying the patch yet. ... Syracuse University ...
    (Fedora)
  • Netfilter patch-o-matic....bug?
    ... I first tried by downloading a fresh 2.4.18 kernel source, ... Each patch is a new feature: many have minimal impact, ... ../isapplied: patch: command not found ... match a string in a whole packet. ...
    (comp.security.firewalls)
  • Netfilter patch-o-matic....bug?
    ... I first tried by downloading a fresh 2.4.18 kernel source, ... Each patch is a new feature: many have minimal impact, ... ../isapplied: patch: command not found ... match a string in a whole packet. ...
    (comp.security.firewalls)