Quoth Guy Cohen: > yes, but why netfilter transfers the connection to apache in the first > place?
Do it manually ;-)... ---cuttez---dicez---removez---slicez---ambutez---choppez--- telnet foo.bar.com 80 GET / GET /zumbu.html GET /root.exe/uweriwurhiwu?39804759834579suhfksdfhksjdf/389457983457w4rklsdj GET / GET /zumbu.html ---cuttez---dicez---removez---slicez---ambutez---choppez--- Of the above, ONE is a connexion, FOUR are legal requests and ONE is an attack. Six "transactions" in all. What should netfilter do? Scrap ALL six? Scrap only one? It does not know in advance that a legal connexion to port 80 is going to be followed by an attack... So - the connexion IS established, the DATA in the subsequent data stream gets dropped by netfilter. So - a LEGAL, WORKING connexion is kept idle, until apache junks it. Nothing to do with netfilter, per se. M ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
