how to block files with specific extensions

how to block files with specific extensions

[saravanan sakthi]

Dear friend,
 iam usind rc.firewall for NATing. This Linux box acts
as a gateway for my client systems to connect to the
internet. now here i want to block files with certain
extensions passing to my client machines. please help
me ...

Regards,
Saravanan

__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com

RE: how to block files with specific extensions

[Stewart Thompson]

Hi Saravanian:

	Netfilter is a packet based system. So, it don't think
you can do what your proposing with it. There may be other
applications that could that operate at a higher level in the
OSI stack. If you give the list a better description of  your
exact requirements. Someone might be able to make a
suggestions.

Stu.......


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of saravanan sakthi
Sent: September 6, 2002 3:04 AM
To: netfilter@lists.samba.org
Subject: how to block files with specific extensions

Dear friend,
 iam usind rc.firewall for NATing. This Linux box acts
as a gateway for my client systems to connect to the
internet. now here i want to block files with certain
extensions passing to my client machines. please help
me ...

Regards,
Saravanan

__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com

Re: how to block files with specific extensions

[Antony Stone]

On Friday 06 September 2002 11:04 am, saravanan sakthi wrote:

> Dear friend,
>  iam usind rc.firewall for NATing. This Linux box acts
> as a gateway for my client systems to connect to the
> internet. now here i want to block files with certain
> extensions passing to my client machines. please help
> me ...

You need a content filtering system (proxy server) to do this - netfilter is 
a packet filter and cannot do what you want.

You might be tempted to use the string match in iptables to match file 
extensions but it will not work completely and you will almost certainly get 
both:
files you want to block actually passing through
files or other commands you want to accept being blocked

I suggest you look into something like Squid or Hogwash.

Antony.

-- 

Documentation is like sex:
when it's good, it's very very good;
when it's bad, it's still better than nothing.

Monitoring NAT functionality

[Logu]

hi all
Is there a tool that can be run in a machine where nat rules are put to see
if the packets are properly nated.
That is I want to see the packets(I mean only the source and destination)
before and after nating.  I tried with tcpdump. Is there any other tool to
simply monitor this with timestamp.

Thanks and regards
-Logu

RE: Monitoring NAT functionality

[Stewart Thompson]

Logu:
	Have you tried iptstate. It gives you a top type display of
all the connections.

Stu.....

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Logu
Sent: September 6, 2002 5:19 AM
To: netfilter@lists.netfilter.org
Subject: Monitoring NAT functionality

hi all
Is there a tool that can be run in a machine where nat rules are put to see
if the packets are properly nated.
That is I want to see the packets(I mean only the source and destination)
before and after nating.  I tried with tcpdump. Is there any other tool to
simply monitor this with timestamp.

Thanks and regards
-Logu

Re: Monitoring NAT functionality

[Antony Stone]

On Friday 06 September 2002 1:19 pm, Logu wrote:

> hi all
> Is there a tool that can be run in a machine where nat rules are put to see
> if the packets are properly nated.
> That is I want to see the packets(I mean only the source and destination)
> before and after nating.  I tried with tcpdump. Is there any other tool to
> simply monitor this with timestamp.

I find ethereal nicer to work with than tcpdump - plug that into both 
interfaces and see if it shows original & translated packets conveniently 
close together ?

Antony

-- 

If at first you don't succeed, destroy all the evidence that you tried.

Re: how to block files with specific extensions

[Martin Stricker]

Stewart Thompson wrote:
> 
> Hi Saravanian:
> 
>         Netfilter is a packet based system. So, it don't think
> you can do what your proposing with it. There may be other
> applications that could that operate at a higher level in the
> OSI stack. If you give the list a better description of  your
> exact requirements. Someone might be able to make a
> suggestions.

Depending on what kind of files you want to filter, you will have to do
it in different software: To prevent downloading certain files with the
web browser or via FTP (which most browsers can do also), you need to
set up a web cache/proxy. Popular software for that on Linux is squid.
Then configure squid to deny the file extensions you don't like, and
configure netfilter to only accept HTTP/FTP connections from your proxy.

If you want to deny certain file types as e-mail attachments you have to
do so in your e-mail server software. Procmail should be able to, and
several ant-virus software can do this also.

Best regards,
Martin Stricker
-- 
Homepage: http://www.martin-stricker.de/
Linux Migration Project: http://www.linux-migration.org/
Red Hat Linux 7.3 for low memory: http://www.rule-project.org/
Registered Linux user #210635: http://counter.li.org/