nimda and string match [Re: apache and nimbda]

From: Vincent Haverlant (
Date: 02/05/02

Date: Tue, 5 Feb 2002 19:24:38 +0100
From: Vincent Haverlant <>
To: "William N. Zanatta" <>

Le Fri, Feb 01, 2002 at 06:53:02PM -0200, William N. Zanatta a écrit:
| David,
[netfilter-howto snip]
| I was encouraged to apply it to my firewall but now I'm in doubt about
| doing that.
| >Tommaso,
| >
| >How did you do that? I have iptables v1.2.5 on a 2.4.17
| >and is not working for me. I did not see the "--string"
| >option on iptables man page.

It is true to say that the string match will not be useful to you to
avoid nimda making requests on your apache server. Moreover you will
still get some logs in apache because the SYN paquet will reach your
box and thus open the connection on apache. After that all the paquets
which contain the request made by nimda will be DROPED by your string
match rule but it's too late, Apache will be waiting for something on
the other side. That way you will get many open connection waiting for
some event and will eventually fall in timeout.
Bad effects:
        - many open and idle connection on apache
        - still some logs because of these connection which end in

If the reason why you want to block nimda is the amount of log, then use
apache customizable functionality which as already been mentioned here.

If you want to block nimda to protect a bunch of IIS servers which could
sit behind your firewall, I think you should use a proxy like squid and
set ACLs based on the request itself. A second good reason why you
should use squid is that it is able to decode UCS2 requests or mixed
ascii/UCS2 requests, which iptables would not be able to do.

My 2c


   .~.   	Vincent Haverlant  -- Galadril -- #ICQ: 35695155   
   /V\   	MUD -- FranDUMII (
  /( )\  	Parinux (
  ^^-^^  "There is no system but GNU, and Linux is one of its kernels"