Is it possible to block text strings with IP tables?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Such a "feature" is sexy only on M$ Windows "firewalls".
Blocking "hotmail" would block this page too.
Such a module will have to check almost all packets for "hotmail" or "hoTMail" or "HOTmail", etc... So, be sure to set the ignore-case option, if any.
Also, packets get split on the internet.
It must be a nightmare to just imagine the potential security risks of many buffers that get later discarded, and holding it all together.
i use dansguardian, so if i wanted to block hotmail.com all i'd have to do would be add "hotmail.com" to my bannedsitelist file - simple and effective...
If you do decide to block hotmail.com using text string matching, try just blocking it on tcp and udp ports 53 (DNS ports). Otherwise, any webpage containing the word "hotmail" will be lost. Any email containing the word "hotmail" will go down as well. In fact, if you are using POP3/IMAP and have iptables block the word "hotmail", then you will be disconnected from the mail server at that point. This would render it IMPOSSIBLE to get your email.
Then you need to set your firewall to block outgoing port 80 from machines in your LAN and then set the web browsers on those machines to point to your proxy server.You could also look at SquidGuard which I think is specially designed for just this type of thing.
Keep in mind the difference between this type of thing (URL filtering) and content filtering (which looks at the actual content of the page, not just the URL) using things like dansguardian.
Originally posted by Matir Why do you need reverse dns?
so that when you block a domain by using it's dns name the person will also be blocked from accessing that server by using it's IP address... dansguardian does this, but i want to know if squid can do this on it's own when you acl a dns url...
Originally posted by Matir That would be normal dns, not reverse, and I don't believe that would work. You'd need to block the IP as well.
no, it's reverse dns... you tell the software to block "domain.com"... the software would perform a reverse dns query for any IP-based URL it receives... so if a user would input an IP address in the browser the software would do a reverse lookup on the IP and if it matches the domain that was specificied it would block it...
you can't specify the IPs in all situations because you don't know what the IP is gonna be tomorrow (for example), or if the user will be routed to another IP, or if the domain has a million different IPs (like google) or whatever... it's much simpler and effective to simply block the domain and have the software take care of reverse dns checks...
dansguardian does this, i just want to know if squid can do this on it's own... anybody??
Originally posted by Matir Even reverse dns is not 100% reliable, as one IP can have a dozen hostnames, which can have CNAMES, etc.
that's beside the point... i just wanted to know if squid could do it... i took a look at the squid.conf.default file and it looks like it can:
Code:
# acl aclname srcdomain .foo.com ... # reverse lookup, client IP
# acl aclname dstdomain .foo.com ... # Destination server from URL
# acl aclname srcdom_regex [-i] xxx ... # regex matching client name
# acl aclname dstdom_regex [-i] xxx ... # regex matching server
# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
# # based URL is used and no match is found. The name "none" is used
# # if the reverse lookup fails.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.