Well I'm trying to filter based on certain strings in packets and I can't get it to work, which led me to sites suggesting I need to recompile my kernel with a few options (netfilter etc)

My main question then is more along the lines of how you do this on a linode.

I have compiled countless kernels from scratch, but I do not know what be needed on the linode, I have not messed with my kernel and I think you guys use some special kernels, I wouldn't want to disable anythign important.

The distro is Gentoo, so how would I go about building a kernel for this box with netfilter?

Or maybe someone knows how I can do this without recompiling the kerrnel? Thanks!

Thanks!

On linode you can not run your own kernel.

Adam

Most, if not ALL of the netfilter options are enabled inside the kernel config, except for those labelled experimental.

http://www.linode.com/forums/viewtopic.php?t=1006

Can you tell me which .config options you need specifically?

-Chris

Hmm I did a bit of research and it looks like nefilter has patches for the kernel source that you need to patch in for some of these options.

Specifically it is:

CONFIG_IP_NF_MATCH_STRING which allows you to
match a string in a whole packet.

Referenced at:
http://www.knowplace.org/netfilter/ipt_compile.html#ip2

Not sure if this is doable with the linode kernels but I would really like to find a way to drop packets based on strings in their payload.

No, you wouldn't. It's unreliable, because it only looks at a packet at a time, and there's no guarantee that the dangerous string "foobar" won't be split across two packets. It can happen accidentally, and the cracker can force it.

What you want is a proxy firewall, where you can look at the actual data stream, and parse it properly.

_________________
The irony is that Bill Gates claims to be making a stable operating system and Linus Torvalds claims to be trying to take over the world.
-- seen on the net

Well for now I achieved what I was trying to do on the application layer, but what would you recommend for a proxy firewall?

Hmmm, I'm not sure there are any free proxy firewalls that can do reject based on the contents of the data stream. Probably you can write add-ins for SOCKS to do it. But if you've solved your problem at the application layer, then you're done: proxy firewalls *are* at the application layer.

_________________
The irony is that Bill Gates claims to be making a stable operating system and Linus Torvalds claims to be trying to take over the world.

-- seen on the net

OK thanks for the response

I figured the application layer would be the easiest to do it on but I thought it might be interesting to learn how to do it a bit lower with a firewall.