Re: iptables anti-nimda anyone?

Date: 09/24/01

Date: Mon, 24 Sep 2001 12:21:05 +0300
To: <>
Subject: Re: iptables anti-nimda anyone?
Message-ID: <>

Hi R!
On Fri, 21 Sep 2001, R Dicaire wrote:

> Forwarded From: Sven Michels <>
> > if you've patched the kernel with string match support: yes:
> > $IPTABLES -I INPUT -p tcp --dport 80 -m string --string .exe? -m state \
> > --state ESTABLISHED -j REJECT --reject-with tcp-reset
> > (same works wizh .ida for the old one)
> Where can this patch be had if its not included with the kernel, or iptables
> src? I can see where having this string filter could be handy.

it's not activated by default (considered experimental); you must run `make
patch-o-matic' or `most-of-pom' (iirc) if you want it in (and yap, in iptables
> Also, could this filter rule be bypassed with some unicode representation of
> said string?

good point.
as far as could understand from ipt_string.c it matches exactly the string
that was provided, so it can be tricked (unless you come with several versions
of the rule to take that into account).


-- teodor