Re: apache and nimbda

From: William N. Zanatta (william@veritel.com.br)
Date: 02/01/02


Date: Fri, 01 Feb 2002 18:53:02 -0200
From: "William N. Zanatta" <william@veritel.com.br>
To: David Correa <tech@linux-tech.com>

David,

   You must first apply the string matching patch...
   Now, everybody take a look on it...

from the 'netfilter-extensions-howto' about the --string:

"Please do use this match with caution. A lot of people want to use this
match to stop worms, along with the DROP target. This is a major
mistake. It would be defeated by any IDS evasion method.

In a similar fashion, a lot of people have been using this match as a
mean to stop particular functions in HTTP like POST or GET by dropping
any HTTP packet containing the string POST. Please understand that this
job is better done by a filtering proxy. Additionally, any HTML content
with the word POST would get dropped with the former method. This match
has been designed to be able to queue to userland interesting packets
for better analysis, that's all. Dropping packet based on this would be
defeated by any IDS evasion method."

I was encouraged to apply it to my firewall but now I'm in doubt about
doing that.

William

David Correa wrote:

> Tommaso,
>
> How did you do that? I have iptables v1.2.5 on a 2.4.17
> and is not working for me. I did not see the "--string"
> option on iptables man page.



Relevant Pages

  • Google Summer of Code 2009: Student applies to create a Better IPTables Management Tool
    ... a student) and select the Linux Foundation ... The tool focuses on helping the user to perceive what a particular chains of rules in a particular table does to a user specified packet. ... As the project aims for better IPtables management tool, I can contribute with my hard earned 3 years experience in maintenance of firewalls. ... The tools helps the user to either select all the rules in the chain or some particular rules and tells the impact of the application of selected rules upon the incoming/outgoing packet. ...
    (Linux-Kernel)
  • Re: possible problem with scp/ssh/telnet
    ... packet to the corresponding service. ... The next line in your iptables file is your "ACCEPT" rule for connections to ... I would still expect a failure in tcp to show up in the log if they are not accepted in the tcp line as everything that isn't an accept should continue being processed until the log and reject? ... do I gather from this that iptables is accepting the tcp request and the problem is happening at sshd? ...
    (Fedora)
  • Re: Doubts with iptables (or ipchains)
    ... With iptables use the state module. ... > done with ipchains (using some alternative ... > of the connection would protect my LAN? ... Why would 'a packet' be 52 bytes? ...
    (comp.os.linux.security)
  • iptables: state & forward confusion
    ... $iptables -F -t mangle ... # set a default policy to allow established & related ... packet forwarded to eth1 or eth2...accept those that are explicitly ... forwarded say for outbound web requests and returning responses? ...
    (comp.os.linux.security)
  • iptables: state & forward confusion
    ... $iptables -F -t mangle ... # set a default policy to allow established & related ... packet forwarded to eth1 or eth2...accept those that are explicitly ... forwarded say for outbound web requests and returning responses? ...
    (comp.os.linux.security)