Hello Zack,
> Howdy all-
> I was checking out iptables 1.2.3 when I came across this interesting
> patch:
> http://cvs.samba.org/cgi-bin/cvsweb/netfilter/userspace/patch-o-matic/st
> ring.patch
Indeed, this is a very interesting contribution to the netfilter world.
> It allows one the ability to write iptable rules like this:
> $IPTABLES -I INPUT -p tcp --dport 80 -m string --string .exe? -m
> tate --state ESTABLISHED -j REJECT --reject-with tcp-reset
I haven't had the time to read the binary analysis of the nimda code but
as soon as you get the pattern in hex, you can use the u32 selector of
tc and be ways faster by just blackholing or table bouncing the matched
selector.
> I was initially investigating this as a quick and dirty way of
> blocking
> Nimda from my network (all linux, but I still didn't want that nasty
> little guy flying around on my samba servers) at my firewall, but then
> it occured to me that I could also use this in combination with a
> fwmark-based LVS system to provide pseudo-L7 loadbalancing capabilities.
> In my case I want to loadbalance a set of named based virtual hosts all
> differently, some need SSL, some don't, some I only want balanced off
> two servers instead of three.
Yep, this could be deployed in that way, although I still like the u32
selector better. You set a rule to the FIB using a u32 selector and then
we should provide a mean for adding a LVS service table entry for FIB
classid's.
> Has anyone played with this patch? I don't have a lab or the equipment
> to setup a test system, but I figure that with all the intelligent LVS
> users out there, someone must have tried this patch already ;)
Since an Italian wrote it, I trust it :) I haven't tested it yet, but I surely
will some day. The problem I see here is, that everybody seems to solve
the same problem in a slightely different matter. We have following approaches:
o snort : Uses a simple pattern matching algorithm in user space
o netfilter : Boyer Moore sublinear search algorithm in kernel space
o LVS ktcpvs: Ask Wensong or read the code ;)
> Thanks again,
> Zack
I'm not sure I could be of any help but I was hoping other people would join
this (for me) interesting discussion about such L7 implementations and virus
blocker.
Best regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc
|