DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th February 2010
mohammadreza's Avatar
mohammadreza mohammadreza is offline
New User
 
Join Date: Feb 2010
Posts: 2
Cool Block IDM-DAP-P2P

hi to all

please help me about blocking :
IDM:internet download manager
DAP : download accelerator
flash get , get bot
emule-elphant-kazza and like these softwares.
of course my problem is only with down managers and want to block the ,, it is possible or no ??? if it is maybe somebody help me with some rules.

thnks a lot
Reply With Quote
  #2   (View Single Post)  
Old 5th February 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

This is a simple pf.conf to block everything, except the ports mentioned in the TCPservices and UDPservices definitions.

Code:
EXT=re0

TCPservices = "{ www https domain }"
UDPservices = "{ domain }"

set skip on lo0

block log all

pass out quick on $EXT inet proto tcp from any to any port $TCPservices
pass out quick on $EXT inet proto udp from any to any port $UDPservices
This will load as
Code:
# pfctl -vvnf block-all.pf
EXT = "re0"
TCPservices = "{ www https domain }"
UDPservices = "{ domain }"
set skip on { lo0 }
@0 block drop log all
@1 pass out quick on re0 inet proto tcp from any to any port = www flags S/SA keep state
@2 pass out quick on re0 inet proto tcp from any to any port = https flags S/SA keep state
@3 pass out quick on re0 inet proto tcp from any to any port = domain flags S/SA keep state
@4 pass out quick on re0 inet proto udp from any to any port = domain keep state
EDIT: This is of course for a box with a single network interface, but I hope you get the idea
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 5th February 2010
mohammadreza's Avatar
mohammadreza mohammadreza is offline
New User
 
Join Date: Feb 2010
Posts: 2
Thumbs down Block IDM-DAP-P2P

Quote:
Originally Posted by J65nko View Post
This is a simple pf.conf to block everything, except the ports mentioned in the TCPservices and UDPservices definitions.

Code:
EXT=re0

TCPservices = "{ www https domain }"
UDPservices = "{ domain }"

set skip on lo0

block log all

pass out quick on $EXT inet proto tcp from any to any port $TCPservices
pass out quick on $EXT inet proto udp from any to any port $UDPservices
This will load as
Code:
# pfctl -vvnf block-all.pf
EXT = "re0"
TCPservices = "{ www https domain }"
UDPservices = "{ domain }"
set skip on { lo0 }
@0 block drop log all
@1 pass out quick on re0 inet proto tcp from any to any port = www flags S/SA keep state
@2 pass out quick on re0 inet proto tcp from any to any port = https flags S/SA keep state
@3 pass out quick on re0 inet proto tcp from any to any port = domain flags S/SA keep state
@4 pass out quick on re0 inet proto udp from any to any port = domain keep state
EDIT: This is of course for a box with a single network interface, but I hope you get the idea
--------------------------------------------------------------------

thanks for your answer but as you know IDM and some internet download managers and accelerators are use port 80=www for download , and if we open this port with your config we can not block it ????

what i have to do ??? and of course IDM used simultaneously connections maybe 8 or even higher that this number for getting or down loading software ,, therefore we can not block them with this config

EXT=re0

TCPservices = "{ www https domain }"
UDPservices = "{ domain }"

set skip on lo0

block log all

pass out quick on $EXT inet proto tcp from any to any port $TCPservices
pass out quick on $EXT inet proto udp from any to any port $UDPservices
Reply With Quote
  #4   (View Single Post)  
Old 5th February 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

I don't know any of those download managers, the only one download manager I know is ftp, and that is blocked by this pf.conf

So it is time to print out and study the pf.conf man page. The following should give you a start.
Code:
   For stateful TCP connections, limits on established connections (connec-
     tions which have completed the TCP 3-way handshake) can also be enforced
     per source IP.

     max-src-conn <number>
           Limits the maximum number of simultaneous TCP connections which
           have completed the 3-way handshake that a single host can make.
     max-src-conn-rate <number> / <seconds>
           Limit the rate of new connections over a time interval.  The con-
           nection rate is an approximation calculated as a moving average.

     Because the 3-way handshake ensures that the source address is not being
     spoofed, more aggressive action can be taken based on these limits.  With
     the overload <table> state option, source IP addresses which hit either
     of the limits on established connections will be added to the named
     table.  This table can be used in the ruleset to block further activity
     from the offending host, redirect it to a tarpit process, or restrict its
     bandwidth.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 5th February 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

As suggested by J65nko, you can limit this using pf.. but you can also typically do this from within the HTTP servers configuration files (..or by using a module).
Reply With Quote
  #6   (View Single Post)  
Old 25th February 2010
gzgeniii gzgeniii is offline
New User
 
Join Date: Aug 2008
Posts: 2
Default

Sounds like you want to keep port 80 open for normal web browsing but want to stop certain programs from using it (eg. download manager)

The only way I can think of to do this would be use a firewall/filter device that does Layer 4/Deep Packet Inspection (DPI - actually looks inside the data packet being sent).

I believe OpenBSD is a layer 3 firewall device only. I may be wrong here but the only way you might be able to achieve this with OpenBSD would be block everything and force everyone to go through some sort of proxy/filter program that performs this type of DPI.

Even then your mileage may vary as the smarter download mangers may emulate common web browsers anyway as far as their http send requests go.

The suggestion above about limiting TCP connections per IP is probably the easiest way that is actually built into OpenBSD but still won't stop savvy users from using these programs if they tune them to use a lower connection count.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
block spam milo974 OpenBSD Security 1 26th May 2009 11:30 AM
New tool on the block - scrypt s0xxx FreeBSD Security 2 21st May 2009 07:48 AM
Automaticaly block IPs with PF DNAeon FreeBSD Installation and Upgrading 7 20th February 2009 02:06 AM
Questions about Epiphany and block up popup aleunix OpenBSD Packages and Ports 0 14th June 2008 06:18 AM
BSD n00b needs to block incoming SQL on 3306 renolinux FreeBSD Security 5 27th May 2008 02:26 PM


All times are GMT. The time now is 02:33 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick