> I've got the pom, and it's displayed correctly under "menuconfig" during > kernel-config. > I'm making a new kernel right now. Remember to compile the userspace part: iptables, too. > This is not an attempt to stop any hacking. I've just wanted to stop > apache log from getting this. Anyway the FAQ entry is about netfilter not being the best tool for it as it is a packet filter not a content filter. eg. It will let through fragmented http requests with nimda and friends. Squid would be better for that as it operates on an aplication layer. It is just a reminder. Oh, and i belive it is better to reject with tcp-reset than drop if you are using the string match. This will make the connecting host bugger off faster and will avoid retransmissions (and log clutter too) Maciej
