Hello all, >which discusses this exact problem and solves it by filtering IP packets >based on string matching. This requires netfilter and a more recent >kernel (> 2.4.9). Another recent article is from Security Focus, found >at http://www.securityfocus.com/infocus/1531. I wrote this one and it was later pointed out to me by some netfilter people that it is a BAD (ok, maybe bad, not BAD ;-)) idea, since there will be hanging TCP connections on both client and server.
Here is the excerpt from the email I have recieived: ---------------------------------------------------------- "...it is inherently bad to do it in such a fashion. One of the many reasons is that you'll leave dead sockets open on both ends which is using up resources for both machines, including your own webserver. These dead sockets stays alive for days before they are killed." ---------------------------------------------------------- Please take this into account. Best regards, -- Anton A. Chuvakin, Ph.D. http://www.chuvakin.org http://www.info-secure.org