* filtering HTTP signatures/headers ?
@ 2006-03-01 11:45 S t i n g r a y
2006-03-01 12:13 ` Rob Sterenborg
0 siblings, 1 reply; 8+ messages in thread
From: S t i n g r a y @ 2006-03-01 11:45 UTC (permalink / raw)
To: netfilter
Is it possible to filter HTTP signatures/headers with
Iptables ? or is there addon for it ?
take care
*º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: filtering HTTP signatures/headers ? 2006-03-01 11:45 filtering HTTP signatures/headers ? S t i n g r a y @ 2006-03-01 12:13 ` Rob Sterenborg 2006-03-01 15:40 ` S t i n g r a y 0 siblings, 1 reply; 8+ messages in thread From: Rob Sterenborg @ 2006-03-01 12:13 UTC (permalink / raw) To: netfilter On Wed, March 1, 2006 12:45, S t i n g r a y wrote: > Is it possible to filter HTTP signatures/headers with > Iptables ? or is there addon for it ? You may be able to use the String match but you can only filter the payload of 1 packet at a time : if a signature/header spans multiple packets then it won't work. Netfilter is not meant to do content filtering. Perhaps you can use Squid. Gr, Rob ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: filtering HTTP signatures/headers ? 2006-03-01 12:13 ` Rob Sterenborg @ 2006-03-01 15:40 ` S t i n g r a y 2006-03-01 17:31 ` Rob Sterenborg 0 siblings, 1 reply; 8+ messages in thread From: S t i n g r a y @ 2006-03-01 15:40 UTC (permalink / raw) To: Rob Sterenborg, netfilter will it filter out HTTP tunneling also ? --- Rob Sterenborg <rob@sterenborg.info> wrote: > > On Wed, March 1, 2006 12:45, S t i n g r a y wrote: > > Is it possible to filter HTTP signatures/headers > with > > Iptables ? or is there addon for it ? > > You may be able to use the String match but you can > only filter the payload of > 1 packet at a time : if a signature/header spans > multiple packets then it > won't work. > > Netfilter is not meant to do content filtering. > Perhaps you can use Squid. > > > Gr, > Rob > > > > *º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤ __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: filtering HTTP signatures/headers ? 2006-03-01 15:40 ` S t i n g r a y @ 2006-03-01 17:31 ` Rob Sterenborg 2006-03-02 4:04 ` S t i n g r a y 0 siblings, 1 reply; 8+ messages in thread From: Rob Sterenborg @ 2006-03-01 17:31 UTC (permalink / raw) To: netfilter On Wed, March 1, 2006 16:40, S t i n g r a y wrote: > will it filter out HTTP tunneling also ? Do you mean you have a VPN tunnel which transfers http, or what ? If that is the case, I don't think so ; Squid can only inspect traffic that it can see of course. However, if the Squid-box is at the end of the tunnel you may be able to do it. But maybe I don't understand correctly what problem you are trying to solve. Gr, Rob > --- Rob Sterenborg <rob@sterenborg.info> wrote: >> On Wed, March 1, 2006 12:45, S t i n g r a y wrote: >> > Is it possible to filter HTTP signatures/headers >> > with Iptables ? or is there addon for it ? >> >> You may be able to use the String match but you can >> only filter the payload of 1 packet at a time : if a >> signature/header spans multiple packets then it >> won't work. >> >> Netfilter is not meant to do content filtering. >> Perhaps you can use Squid. >> >> >> Gr, >> Rob ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: filtering HTTP signatures/headers ? 2006-03-01 17:31 ` Rob Sterenborg @ 2006-03-02 4:04 ` S t i n g r a y 2006-03-02 5:37 ` filtering HTTP signatures/headers ? (nfcan: addressed to exclusive sender for this address) Jim Laurino 2006-03-02 11:36 ` filtering HTTP signatures/headers ? Oleg 0 siblings, 2 replies; 8+ messages in thread From: S t i n g r a y @ 2006-03-02 4:04 UTC (permalink / raw) To: Rob Sterenborg, netfilter The problem is that , i have a proxy/firewall box that provides internet to my internal users, now i have only permitted the common ports like ftp,http,smtp,pop3 etc etc & blocked all other , now there are couple of p2p applications out there that tunnel through my port 80 as its open, this is taking up my internet bandwith, i want to stop that ... regards --- Rob Sterenborg <rob@sterenborg.info> wrote: > On Wed, March 1, 2006 16:40, S t i n g r a y wrote: > > will it filter out HTTP tunneling also ? > > Do you mean you have a VPN tunnel which transfers > http, or what ? If that is > the case, I don't think so ; Squid can only inspect > traffic that it can see of > course. However, if the Squid-box is at the end of > the tunnel you may be able > to do it. > But maybe I don't understand correctly what problem > you are trying to solve. > > > Gr, > Rob > > > --- Rob Sterenborg <rob@sterenborg.info> wrote: > >> On Wed, March 1, 2006 12:45, S t i n g r a y > wrote: > >> > Is it possible to filter HTTP > signatures/headers > >> > with Iptables ? or is there addon for it ? > >> > >> You may be able to use the String match but you > can > >> only filter the payload of 1 packet at a time : > if a > >> signature/header spans multiple packets then it > >> won't work. > >> > >> Netfilter is not meant to do content filtering. > >> Perhaps you can use Squid. > >> > >> > >> Gr, > >> Rob > > > > *º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤ __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: filtering HTTP signatures/headers ? (nfcan: addressed to exclusive sender for this address) 2006-03-02 4:04 ` S t i n g r a y @ 2006-03-02 5:37 ` Jim Laurino 2006-03-02 11:04 ` Rob Sterenborg 2006-03-02 11:36 ` filtering HTTP signatures/headers ? Oleg 1 sibling, 1 reply; 8+ messages in thread From: Jim Laurino @ 2006-03-02 5:37 UTC (permalink / raw) To: netfilter On 2006.03.01 23:04, S t i n g r a y - fasi_74@yahoo.com wrote: > The problem is that , i have a proxy/firewall box that > provides internet to my internal users, now i have > only permitted the common ports like > ftp,http,smtp,pop3 etc etc & blocked all other , now > there are couple of p2p applications out there that > tunnel through my port 80 as its open, this is taking > up my internet bandwith, i want to stop that ... Well, then what Rob said before applies. Netfilter is not good for solving this problem. Squid is reputed to be very good for this problem. Regards, Jim > > regards > > > --- Rob Sterenborg <rob@sterenborg.info> wrote: > > > On Wed, March 1, 2006 16:40, S t i n g r a y wrote: > > > will it filter out HTTP tunneling also ? > > > > Do you mean you have a VPN tunnel which transfers > > http, or what ? If that is > > the case, I don't think so ; Squid can only inspect > > traffic that it can see of > > course. However, if the Squid-box is at the end of > > the tunnel you may be able > > to do it. > > But maybe I don't understand correctly what problem > > you are trying to solve. > > > > > > Gr, > > Rob > > > > > --- Rob Sterenborg <rob@sterenborg.info> wrote: > > >> On Wed, March 1, 2006 12:45, S t i n g r a y > > wrote: > > >> > Is it possible to filter HTTP > > signatures/headers > > >> > with Iptables ? or is there addon for it ? > > >> > > >> You may be able to use the String match but you > > can > > >> only filter the payload of 1 packet at a time : > > if a > > >> signature/header spans multiple packets then it > > >> won't work. > > >> > > >> Netfilter is not meant to do content filtering. > > >> Perhaps you can use Squid. > > >> > > >> > > >> Gr, > > >> Rob > > > > > > > > > > > *º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤ > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > > -- Jim Laurino nfcan.x.jimlaur@dfgh.net Please reply to the list. Only mail from the listserver reaches this address. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: filtering HTTP signatures/headers ? (nfcan: addressed to exclusive sender for this address) 2006-03-02 5:37 ` filtering HTTP signatures/headers ? (nfcan: addressed to exclusive sender for this address) Jim Laurino @ 2006-03-02 11:04 ` Rob Sterenborg 0 siblings, 0 replies; 8+ messages in thread From: Rob Sterenborg @ 2006-03-02 11:04 UTC (permalink / raw) To: netfilter On Thu, March 2, 2006 06:37, Jim Laurino wrote: > On 2006.03.01 23:04, S t i n g r a y - fasi_74@yahoo.com wrote: >> The problem is that , i have a proxy/firewall box that >> provides internet to my internal users, now i have >> only permitted the common ports like >> ftp,http,smtp,pop3 etc etc & blocked all other , now >> there are couple of p2p applications out there that >> tunnel through my port 80 as its open, this is taking >> up my internet bandwith, i want to stop that ... > > Well, then what Rob said before applies. > Netfilter is not good for solving this problem. > Squid is reputed to be very good for this problem. AFAIK squid will not proxy P2P traffic, however, this could be of help : http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-ipp2p The example says : iptables -A FORWARD -m ipp2p --edk --kazaa --bit -j DROP But maybe you can also use it as : iptables -A FORWARD -m ipp2p -j DROP Gr, Rob >> regards >> >> >> --- Rob Sterenborg <rob@sterenborg.info> wrote: >> >> > On Wed, March 1, 2006 16:40, S t i n g r a y wrote: >> > > will it filter out HTTP tunneling also ? >> > >> > Do you mean you have a VPN tunnel which transfers >> > http, or what ? If that is >> > the case, I don't think so ; Squid can only inspect >> > traffic that it can see of >> > course. However, if the Squid-box is at the end of >> > the tunnel you may be able >> > to do it. >> > But maybe I don't understand correctly what problem >> > you are trying to solve. >> > >> > >> > Gr, >> > Rob >> > >> > > --- Rob Sterenborg <rob@sterenborg.info> wrote: >> > >> On Wed, March 1, 2006 12:45, S t i n g r a y >> > wrote: >> > >> > Is it possible to filter HTTP >> > signatures/headers >> > >> > with Iptables ? or is there addon for it ? >> > >> >> > >> You may be able to use the String match but you >> > can >> > >> only filter the payload of 1 packet at a time : >> > if a >> > >> signature/header spans multiple packets then it >> > >> won't work. >> > >> >> > >> Netfilter is not meant to do content filtering. >> > >> Perhaps you can use Squid. >> > >> >> > >> >> > >> Gr, >> > >> Rob >> > >> > >> > >> > >> >> >> *º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤ >> >> >> >> >> __________________________________________________ >> Do You Yahoo!? >> Tired of spam? Yahoo! Mail has the best spam protection around >> http://mail.yahoo.com >> >> >> > > -- > Jim Laurino > nfcan.x.jimlaur@dfgh.net > Please reply to the list. > Only mail from the listserver reaches this address. > > -- "Inspraak zonder inzicht resulteert in uitspraak zonder uitzicht." ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: filtering HTTP signatures/headers ? 2006-03-02 4:04 ` S t i n g r a y 2006-03-02 5:37 ` filtering HTTP signatures/headers ? (nfcan: addressed to exclusive sender for this address) Jim Laurino @ 2006-03-02 11:36 ` Oleg 1 sibling, 0 replies; 8+ messages in thread From: Oleg @ 2006-03-02 11:36 UTC (permalink / raw) To: netfilter > now > there are couple of p2p applications out there that > tunnel through my port 80 as its open, this is taking > up my internet bandwith, i want to stop that ... To detect p2p try: - iptables-p2p (mega.ist.utl.pt/~filipe/iptables-p2p/) - ipp2p (check latest patch-o-matic-ng) - l7-filter (l7-filter.sf.net) -- Best regards, Oleg ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2006-03-02 11:36 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2006-03-01 11:45 filtering HTTP signatures/headers ? S t i n g r a y 2006-03-01 12:13 ` Rob Sterenborg 2006-03-01 15:40 ` S t i n g r a y 2006-03-01 17:31 ` Rob Sterenborg 2006-03-02 4:04 ` S t i n g r a y 2006-03-02 5:37 ` filtering HTTP signatures/headers ? (nfcan: addressed to exclusive sender for this address) Jim Laurino 2006-03-02 11:04 ` Rob Sterenborg 2006-03-02 11:36 ` filtering HTTP signatures/headers ? Oleg
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.