All of lore.kernel.org
 help / color / mirror / Atom feed
* RE: filtering by packet contents?
@ 2003-07-16  5:51 George Vieira
  2003-07-16  6:22 ` Daniel Chemko
  0 siblings, 1 reply; 6+ messages in thread
From: George Vieira @ 2003-07-16  5:51 UTC (permalink / raw)
  To: cc, netfilter

You can you use the p-o-m patch for the string module "-m string --string pattern"

this works and can be used for some funky stuff too like redirecting 1 virtual host on a server to another server which is very handy when a particular virtual host goes down...

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

-----Original Message-----
From: cc [mailto:cc@belfordhk.com]
Sent: Wednesday, July 16, 2003 2:47 PM
To: netfilter@lists.netfilter.org
Subject: filtering by packet contents?


Hi,

I don't know if I'm getting confused, so if
someone can clarify whether I'm using the
wrong tool for the problem; but basically,
I have a webserver behind a firewall
(iptables 1.2.8) and the web access
packets are filtering in properly.

Is it possible to set iptables to
drop any packets depending on
the content?  The thing that
comes to mind is this CodeRed/
Nimda crap that comes in.  While
it doesn't affect my webserver
at all, I just don't like it
clogging up the dang log.

At this point of writing, I'm tending
towards the answer of "No, iptables
is not the right tool, nor can it
do that."  Is this correct?

Thanks for any clarification in
this matter.

Edmund




^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: filtering by packet contents?
  2003-07-16  5:51 filtering by packet contents? George Vieira
@ 2003-07-16  6:22 ` Daniel Chemko
  0 siblings, 0 replies; 6+ messages in thread
From: Daniel Chemko @ 2003-07-16  6:22 UTC (permalink / raw)
  To: George Vieira; +Cc: cc, netfilter

George Vieira wrote:

>You can you use the p-o-m patch for the string module "-m string --string pattern"
>
>this works and can be used for some funky stuff too like redirecting 1 virtual host on a server to another server which is very handy when a particular virtual host goes down...
>
>  
>

Just keep in mind that the string patch is VERY heavy on CPU depending 
on how much traffic passes through the rule.



^ permalink raw reply	[flat|nested] 6+ messages in thread
* RE: filtering by packet contents?
  2003-07-16  6:43 George Vieira
  2003-07-16 11:30 ` Waldecir Loureiro dos Santos Filho
@ 2003-07-16 13:34 ` Waldecir Loureiro dos Santos Filho
  1 sibling, 0 replies; 6+ messages in thread
From: Waldecir Loureiro dos Santos Filho @ 2003-07-16 13:34 UTC (permalink / raw)
  To: George Vieira, Daniel Chemko; +Cc: cc, netfilter

i have a little question, how can i meansure if machine is slowdown
my network performance ? and how i can see cpu load of iptables  ?

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of George Vieira
Sent: quarta-feira, 16 de julho de 2003 03:43
To: Daniel Chemko
Cc: cc; netfilter@lists.netfilter.org
Subject: RE: filtering by packet contents?


Yes this is true but what you can do is this...

Patch in the "string" module as well as the "iplimit" module

Add a rule for "iplimit" to block already registered IPsfor xx seconds.
Then add a rule for SYN connections with that --string to add it's source to
the iplimit table.

Usually the code red attacks aren't spoofed (from memory) and are just
trying to get in.. so after the first attempt, the second/third/fourth will
be automatically dropped and won't be looked at by --string since iplimit
blocks before it... get it? this should not stress the CPU as much I don't
think...

dunno if that made sense or would fully work 100% but it's an idea I had for
other types of problems.. PSD is another one..

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

-----Original Message-----
From: Daniel Chemko [mailto:dchemko@smgtec.com]
Sent: Wednesday, July 16, 2003 4:23 PM
To: George Vieira
Cc: cc; netfilter@lists.netfilter.org
Subject: Re: filtering by packet contents?


George Vieira wrote:

>You can you use the p-o-m patch for the string module "-m string --string
pattern"
>
>this works and can be used for some funky stuff too like redirecting 1
virtual host on a server to another server which is very handy when a
particular virtual host goes down...
>
>
>

Just keep in mind that the string patch is VERY heavy on CPU depending
on how much traffic passes through the rule.




********Confidencialidade do Correio do Eletrônico***************
Informações confidenciais podem estar contidas nesta mensagem. Se você não
se encontra na lista de destinatários ou não é o remetente da mesma, você
não deve copiar ou enviar esta mensagem para ninguém. Neste caso, você deve
destruir e notificar o remetente da mesma. A empresa considera opiniões,
conclusões e outras informações que não se relacionam com o negócio oficial
da corporação de responsabilidade do usuário do serviço.




^ permalink raw reply	[flat|nested] 6+ messages in thread
* RE: filtering by packet contents?
  2003-07-16  6:43 George Vieira
@ 2003-07-16 11:30 ` Waldecir Loureiro dos Santos Filho
  2003-07-16 13:34 ` Waldecir Loureiro dos Santos Filho
  1 sibling, 0 replies; 6+ messages in thread
From: Waldecir Loureiro dos Santos Filho @ 2003-07-16 11:30 UTC (permalink / raw)
  To: netfilter


i have a question, how can i measure the cpu load of my linux box with
iptables ?
i have a P200 but allways stay in 98% idle and i have a High traffic going
in.
i see high traffic with TCPDUMP. heehe

somebody know how ?


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of George Vieira
Sent: quarta-feira, 16 de julho de 2003 03:43
To: Daniel Chemko
Cc: cc; netfilter@lists.netfilter.org
Subject: RE: filtering by packet contents?


Yes this is true but what you can do is this...

Patch in the "string" module as well as the "iplimit" module

Add a rule for "iplimit" to block already registered IPsfor xx seconds.
Then add a rule for SYN connections with that --string to add it's source to
the iplimit table.

Usually the code red attacks aren't spoofed (from memory) and are just
trying to get in.. so after the first attempt, the second/third/fourth will
be automatically dropped and won't be looked at by --string since iplimit
blocks before it... get it? this should not stress the CPU as much I don't
think...

dunno if that made sense or would fully work 100% but it's an idea I had for
other types of problems.. PSD is another one..

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

-----Original Message-----
From: Daniel Chemko [mailto:dchemko@smgtec.com]
Sent: Wednesday, July 16, 2003 4:23 PM
To: George Vieira
Cc: cc; netfilter@lists.netfilter.org
Subject: Re: filtering by packet contents?


George Vieira wrote:

>You can you use the p-o-m patch for the string module "-m string --string
pattern"
>
>this works and can be used for some funky stuff too like redirecting 1
virtual host on a server to another server which is very handy when a
particular virtual host goes down...
>
>
>

Just keep in mind that the string patch is VERY heavy on CPU depending
on how much traffic passes through the rule.




********Confidencialidade do Correio do Eletrônico***************
Informações confidenciais podem estar contidas nesta mensagem. Se você não
se encontra na lista de destinatários ou não é o remetente da mesma, você
não deve copiar ou enviar esta mensagem para ninguém. Neste caso, você deve
destruir e notificar o remetente da mesma. A empresa considera opiniões,
conclusões e outras informações que não se relacionam com o negócio oficial
da corporação de responsabilidade do usuário do serviço.




^ permalink raw reply	[flat|nested] 6+ messages in thread
* RE: filtering by packet contents?
@ 2003-07-16  6:43 George Vieira
  2003-07-16 11:30 ` Waldecir Loureiro dos Santos Filho
  2003-07-16 13:34 ` Waldecir Loureiro dos Santos Filho
  0 siblings, 2 replies; 6+ messages in thread
From: George Vieira @ 2003-07-16  6:43 UTC (permalink / raw)
  To: Daniel Chemko; +Cc: cc, netfilter

Yes this is true but what you can do is this...

Patch in the "string" module as well as the "iplimit" module

Add a rule for "iplimit" to block already registered IPsfor xx seconds.
Then add a rule for SYN connections with that --string to add it's source to the iplimit table.

Usually the code red attacks aren't spoofed (from memory) and are just trying to get in.. so after the first attempt, the second/third/fourth will be automatically dropped and won't be looked at by --string since iplimit blocks before it... get it? this should not stress the CPU as much I don't think...

dunno if that made sense or would fully work 100% but it's an idea I had for other types of problems.. PSD is another one..

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

-----Original Message-----
From: Daniel Chemko [mailto:dchemko@smgtec.com]
Sent: Wednesday, July 16, 2003 4:23 PM
To: George Vieira
Cc: cc; netfilter@lists.netfilter.org
Subject: Re: filtering by packet contents?


George Vieira wrote:

>You can you use the p-o-m patch for the string module "-m string --string pattern"
>
>this works and can be used for some funky stuff too like redirecting 1 virtual host on a server to another server which is very handy when a particular virtual host goes down...
>
>  
>

Just keep in mind that the string patch is VERY heavy on CPU depending 
on how much traffic passes through the rule.



^ permalink raw reply	[flat|nested] 6+ messages in thread
* filtering by packet contents?
@ 2003-07-16  4:47 cc
  0 siblings, 0 replies; 6+ messages in thread
From: cc @ 2003-07-16  4:47 UTC (permalink / raw)
  To: netfilter

Hi,

I don't know if I'm getting confused, so if
someone can clarify whether I'm using the
wrong tool for the problem; but basically,
I have a webserver behind a firewall
(iptables 1.2.8) and the web access
packets are filtering in properly.

Is it possible to set iptables to
drop any packets depending on
the content?  The thing that
comes to mind is this CodeRed/
Nimda crap that comes in.  While
it doesn't affect my webserver
at all, I just don't like it
clogging up the dang log.

At this point of writing, I'm tending
towards the answer of "No, iptables
is not the right tool, nor can it
do that."  Is this correct?

Thanks for any clarification in
this matter.

Edmund



^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2003-07-16 13:34 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-07-16  5:51 filtering by packet contents? George Vieira
2003-07-16  6:22 ` Daniel Chemko
  -- strict thread matches above, loose matches on Subject: below --
2003-07-16  6:43 George Vieira
2003-07-16 11:30 ` Waldecir Loureiro dos Santos Filho
2003-07-16 13:34 ` Waldecir Loureiro dos Santos Filho
2003-07-16  4:47 cc

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.