David,
You must first apply the string matching patch... Now, everybody take a look on it... from the 'netfilter-extensions-howto' about the --string: "Please do use this match with caution. A lot of people want to use this match to stop worms, along with the DROP target. This is a major mistake. It would be defeated by any IDS evasion method. In a similar fashion, a lot of people have been using this match as a mean to stop particular functions in HTTP like POST or GET by dropping any HTTP packet containing the string POST. Please understand that this job is better done by a filtering proxy. Additionally, any HTML content with the word POST would get dropped with the former method. This match has been designed to be able to queue to userland interesting packets for better analysis, that's all. Dropping packet based on this would be defeated by any IDS evasion method." I was encouraged to apply it to my firewall but now I'm in doubt about doing that. William David Correa wrote: > Tommaso, > > How did you do that? I have iptables v1.2.5 on a 2.4.17 > and is not working for me. I did not see the "--string" > option on iptables man page.
