Hi, BLeonhardt@analytek.de wrote:
I'm still looking for a rule to block packets content based with ip-tables. ( I understood this "is" stateful inspection )
deep duried in the back of my head i have the opinion that filtering packets based on content with iptables is one of the "don'ts". e.g.: http://lists.shorewall.net/pipermail/shorewall-users/2003-January/004782.htm... if you want to filter based on content string, you will need the strings patch for iptables: http://www.netfilter.org/documentation/pomlist/pom-extra.html#string still i suggest that you don't do this with iptables. you could use a tcp proxy with filtering capabilities for this and i'm also quite sure snort could also handle this for you. imho the best solution is to use the suggesting filtering capabilities of MTAs like postfix. If you dont want to play around on your running mailserver, you could redirect mail traffic over to a second new MTA host that does nothing more than filtering out sobig and passing the rest of the mail to your real mailserver. peace, Tom