Thread: pf filtering
View Single Post
  #2   (View Single Post)  
Old 19th March 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by phyro View Post
Hi,

Just wanted to find out if anyone can help me figure something out...

I'm under the understanding that a linux system using its ipchains rule sets can not tell the difference between traffic on its ports?

where as OpenBSD's PF can.
I'm not sure what you are stating here regarding your understanding. PF conducts layer 3 (IP and its protocols) inspection, stateful processing, and filtering... and for bridge(4) interfaces only, can filter layer 2 Ethernet frames by MAC address. For some protocols, additional filtration is possible, such as with TCP and UDP protocols, PF can filter by sending or receiving port numbers.

Keep in mind, PF does not inspect data payloads, only the suite of IP protocols and their packet headers.
Quote:
Lets suppose every port is nailed down tight on a linux system, except port 80
someone with know how could possibly use ssh over port 80 and send files via a secure copy to a foreign server using encryption over an open (or any port) punching right through a firewall.

Would PF provide any better protection against that?
If I understand what you are asking, the general answer is "No." Keep in mind:
SSH traffic uses the TCP protocol. PF does not inspect the data in the TCP packets, only the headers and behavior. So, if your PF rules permit outgoing TCP traffic to any address with a TCP destination port 80, PF will permit that traffic.

My customer's network at my $DAYJOB does not permit Internet access except via proxy servers for any platform outside its DMZs. Those proxy servers require URLs and a limited set of communcation protocols -- http, https, and ftp -- with inspection of those URLs for approved/restricted content.

Could even that be circumvented? Sure. I haven't tried, as I want to keep my $DAYJOB, but there are tools that can "tunnel" SSH sessions over HTTPS, such as security/corkscrew.

Quote:
the other question I had was if anyone knew of a resource that provides a good comparison between the capabilities and short comings of a linux based system vs OpenBSD's PF? (everything I found was out of date)
All of the firewall tools in active development are going to be moving targets.

It may be heresy to suggest this ... but I recommend using a toolset that you can understand and are comfortable using, and that you can test to ensure it is working as you intended. Whether that's a Linux based solution or not. Having a manageable, tested, and functioning solution is more important than the specific technology or the underlying OS. If it's configured properly, that tool should be able to provide better control, security, and management facilities than an off the shelf SOHO NAT router or embedded "firewall" product.

Personally, I prefer PF.
Reply With Quote