pf by content?

[phyro]

i was just wondering if its possible to have a pf rule to filter on text content

why?

i have a dayz server that runs remotely, it seems every script kitten in the world is bent in injecting the database full of crap to cheat.

as you cant run a public hive on a local machine and still be apart of the community my solution is to move the mysql database to a local machine.

so i wanted to find some way to drop any request that has a #! or similar script id?

not sure if its possible but tia

[J65nko]

No, pf cannot filter on text content. That would be what is called deep inspection.
If the script kiddies mess around with the webserver you would need an application firewall like mod_security

See http://en.wikipedia.org/wiki/Firewall_%28computing%29 for information about the OSI levels a packet filter operates.

[Carpetsmoker]

We use Varnish.

In our vcl_recv

Code:

  if (
    req.url ~ "(?i)^/(\?mod=|site.php\?a=|index\.php\?option=com_simpledownload|\?(page|file)=\.\.)" ||
    req.url ~ "(?i)(awstats|phpthumb|phpmyadmin|phpalbum|main.php\?cmd=setquality)" ||
    req.url ~ "\.\./\.\./\.\./\.\./\.\./\.\." ||
    req.url ~ "(?i)^/(phorum|cgi-bin|nucleus|dotproject|yappa-ng|PHPNews|_conf|mwchat|Sources|GradeMap)/"
  ) {
    error 404 "Not found";
  }

Simple, but quite effective. We used to get hammered to the point where the webserver were unresponsive, this instantly solved all those problems.