View Single Post
  #9   (View Single Post)  
Old 13th January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Taking your quotes out of order:
Quote:
..i am quite new to this by the way..
I can tell. Don't worry, though, we were all newbies to TCP/IP networking, once.
Quote:
can i just add the following:
block in on $if_internal inet proto tcp from "192.168.0.1/24" to "rapidshare.com"
block out on $if_external inet proto tcp from "192.168.0.1/24" to "rapidshare.com"
You can add any rule with valid syntax to PF. But will the rule do what you want?

If "rapidshare.com" is in /etc/hosts as 127.0.0.1, and your /etc/resolv.conf has "lookup file bind" then when these two rules are loaded, PF will block TCP traffic originating from 192.168.0.1/24 destined to 127.0.0.1. I don't think that is what you intend.

If "rapidshare.com" is -not- in /etc/hosts, and /etc/resolv.conf resolves via an available DNS server, then the address resolution for "rapidshare.com" -at that time- will be blocked. Only for the individually resolving addresses from that one name, at the instant the rules are loaded. This will NOT block addresses of any other servers within Rapidshare's domain, such as rsdb.rapidshare.com or mail2.rapidshare.com. Nor are you blocking any other protocol traffic, just TCP. And only outbound initiated, not inbound. Your rule for $if_external will never match any traffic.
Quote:
my openbsd is not acting as dns server
Even if you set up a local DNS server that resolved all DNS names within *.rapidshare.com to a useless address, this will not prevent users from configuring external DNS resolution. If you block outbound DNS, your users can still get around that. And they can even get around your blocking the destination addresses in PF rules, merely by using an external webproxy service, including ones they may set up themselves, such as via SSH port forwarding. There are myriad ways to get around anything you devise.

Quote:
i can also block the whole rapidshare.com ip range (for savvy users :P)
Really? They are on multiple CIDRs in multiple locations around the world. You are thinking of the 21 IP addresses reflected by the single domain name "rapidshare.com" which is not, by any stretch of the imagination, their entire Internet facing environment.
Quote:
if i wanted to do that i thought i had to make my openbsd also run the dhcp service to set the primary dns server as itself (to the clients connecting to it). then it would just forward all dns requests to the real dns server it got provided by the router but 'filtering; the rapidshare.com zone...
All DHCP does is make IP configuration assignments based upon a ruleset. Such as assigning IP address, netmask, routing information, and preferred DNS server. You would still need to create your local DNS server(s), which I as a user am free to ignore. That is because DHCP is merely -negotiation- and the client can ignore any or all of the lease information. I, if I were a user of your systems, can still point to my own DNS servers. And I can tunnel DNS elsewhere if you block outbound DNS traffic, if necessary.
Quote:
ok i reread this post & mnanuals several times, so this is my idea of what you are saying...
None of that will stop a determined user. Now, I have a 35 year head start on you in regards to TCP/IP. And if I didn't, I could still ask the 14 year old script kiddie on some other forum for help getting around any blocks you devise. In this most recent example in your last post all I need to do is use my own DNS servers, and if you block the 21 addresses for "rapidshare.com", just use an external proxy. It will take me perhaps two minutes to set up, even on a Windows workstation.
Reply With Quote