Hello all,
>which discusses this exact problem and solves it by filtering IP packets
>based on string matching. This requires netfilter and a more recent
>kernel (> 2.4.9). Another recent article is from Security Focus, found
>at http://www.securityfocus.com/infocus/1531.
I wrote this one and it was later pointed out to me by some netfilter
people that it is a BAD (ok, maybe bad, not BAD ;-)) idea, since there
will be hanging TCP connections on both client and server.
Here is the excerpt from the email I have recieived:
----------------------------------------------------------
"...it is inherently bad to do it in such a fashion. One of the many
reasons is that you'll leave dead sockets open on both ends which is using
up resources for both machines, including your own webserver. These dead
sockets stays alive for days before they are killed."
----------------------------------------------------------
Please take this into account.
Best regards,
--
Anton A. Chuvakin, Ph.D.
http://www.chuvakin.org
http://www.info-secure.org
