jak bloknout kazu?

[Ondrej Sury]

Petr Janda <janda na mendelu.cz> writes:

>> 
>> No, jednak to asi trosku pasma prece jen usetri taky a jednak by
>> me zajimalo, zda kazaa nastavena na port 80 nekomunikuje taky
>> _Z_ tohoto portu: pak by si uzivatele nic nestahli...
>
> Nevim, ale nepodcenoval bych vyvojare kazy. Port 80 mi prijde jako
> zjevna snaha o obejiti firewallu. Mimochodem, pokud by se to tu povedlo
> vyresit, tak uz vim kam to nasadit :-)

Jenom me tak hlavou zabloumala myslenka...  a rovnou jsem zahledal...
Neni to sice presne ono, ale dalo by se to pouzit...  (i kdyz je tam
'please don't use', ale to se tyka cervu ;-), takze zkuste pouzit string
match z iptables patch-o-matic???

***

3.14 How do I stop worm XYZ with netfilter ?

The short answer is you cannot do that properly with netfilter. Most of the
worms are using a legitimate high level protocol (i.e. HTTP, SMTP(i.e VB
script attached in email), or any exploit of a vulnerability found in the
daemon handling the protocol). By high level protocol, we mean above
TCP/IP. As iptables does not understand these high level protocols, it's
almost impossible to filter part of them out properly. For that you need
application filtering proxies.

Please do not use the string match from patch-o-matic instead of
application proxy filtering. It would be defeated anytime by fragmented
packets (i.e. an HTTP request split on two TCP packets), by IDS evasion
techniques, etc... you have been warned! The string match is useful but for
different purposes.

-- 
Ondrej Sury - CIO                   Globe Internet s.r.o. http://globe.cz/
Tel: +420(2)35365000 Fax: +420(2)35365009     Planickova 1, 162 00 Praha 6