DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th October 2013
pawaan pawaan is offline
Port Guard
 
Join Date: Jan 2013
Posts: 36
Thanked 0 Times in 0 Posts
Default blocking a website with pf

Hello

I'm a total newbie in pf and want to block www.facebook.com
I made a change to pf.conf

Code:
table <noface> persist file "/etc/pf.noface.conf"
Code:
block drop in log (all) quick on $ext_if from <noface> to any
It worked after I commented out 'pass out'
Is it correct to do without 'pass' ? can you help me make such blocks better?

Thank you
Pawaan.

Last edited by pawaan; 24th October 2013 at 04:11 AM. Reason: typo : such
Reply With Quote
  #2   (View Single Post)  
Old 24th October 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

Quote:
I'm a total newbie in pf...
Keep these in mind whenever you are considering using PF for filtering:
  1. The last matching pass/block rule wins (unless the quick option is used.)

    This means if you have two rules that will match, put the general case first, the specfic case second. For example, put your pass rule allowing users to reach the web (eg: destination ports 80 for HTTP and 443 for HTTPS) before the block rule for the specific addresses you want blocked.
  2. PF is a network layer 3 filter (unless you are filtering a bridge device, which permits filtering of Ethernet frames). PF may not be appropriate for all needs -- and probably not for your intended use case.

    PF filtering is limited to rules regarding the Internet Protocol ("IP") and its suite of subordinate IP protocols that are referred to generally as "TCP/IP". We write PF rules for the three IP protocols TCP, UDP, and ICMP, though there are others that are used and may need rules written as well. For example, I use the ESP protocol as a component of my ipsec(4) implementation. A complete list of IP protocols can be found listed in /etc/protocols, if you're interested.

    PF does not deal with higher level protocols used in applications, such as the HTTP protocol. It does not inspect packets for content, such as the contents of an HTTP GET request destined for www.facebook.com.

    While Domain names can be used in PF rules for convenience, they are resolved to IP addresses at rule initiation time only, and the administrator needs to be sure they can be resolved at boot time for the rules to work.
  3. Other tools will inspect the higher protocols and make decisions based on the data found in the packets. For HTTP traffic, the tool most commonly deployed is the http proxy server. The network admin routes outgoing HTTP traffic through the server for this inspection, and the proxy server decides whether to pass or block the traffic.

    Routing HTTP traffic through proxy server can be done by browser settings at each client, or can be done via a packet filter such as PF. PF may not inspect the HTTP traffic, but rules can be written to redirect such traffic through a proxy server if so identified. As an example of this, and mentioned in the first paragraph, the HTTP protocol is carried within TCP packets and the server listens for traffic on TCP port 80.
Quote:
It worked after I commented out 'pass out'
Is it correct to do without 'pass' ? can you help me make suck blocks better?
Not without seeing your ruleset. But remember, the last matching rule wins. Look at this two line ruleset, where both rules will always match. All traffic will be blocked, because the block rule is last:
Code:
pass all
block all
Now, a more realistic example. Here, I start by blocking all traffic. That rule always matches. Then, I permit HTTP traffic (TCP for destination port 80) from anywhere to anywhere in the second rule. It will only apply to traffic destined for servers listening to port 80. Finally, I narrow that access by blocking that sort of traffic to the network 10.10.0.0/16 in a third rule:
Code:
block all
pass proto tcp from any to any port 80
block proto tcp from any to 10.10.0.0/16 port 80
There were two recent threads on the OpenBSD misc@ mailing list this week regarding blocking facebook traffic. They may help. Links to the first post in each thread are below.

Blocking facebook.com: PF or squid?
Sorry: Facebook again
Reply With Quote
  #3   (View Single Post)  
Old 24th October 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,116
Thanked 182 Times in 149 Posts
Default

If you keep state on outgoing http traffic, the incoming traffic matches the state and thus will be automatically allowed in.

From pf.conf(5):
Code:
     By default pf(4) filters packets statefully: the first time a packet
     matches a pass rule, a state entry is created.  The packet filter
     examines each packet to see if it matches an existing state.  If it does,
     the packet is passed without evaluation of any rules.
So you need to block the outgoing traffic with something like:
Code:
block drop out log (all) quick on $ext_if from any to <noface>
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 24th October 2013
pawaan pawaan is offline
Port Guard
 
Join Date: Jan 2013
Posts: 36
Thanked 0 Times in 0 Posts
Default

Thank you very much both of you
Quote:
Not without seeing your ruleset
jggimi I'm fraid I've started from scratch and have no well elaborated pf.conf
# pfctl -s rules
Code:
block drop in log (all) quick on wpi0 from <noface> to any
block drop out log (all) quick on wpi0 from any to <noface>
block drop in on ! lo0 proto tcp from any to any port 6000:6010
please consider my wish to make a simple pf.conf suitable for a child-aware workstation in the fashion of webconverger where only web serfing is offered and deny all other services (plus denying a few domains like : facebook/encyclopediadramatica)

# tcpdump -eni pflog0tcpdump -eni pflog0
Code:
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
05:06:17.454942 rule 1/(match) block out on wpi0: 192.168.1.4.47172 > 31.13.83.8.80: S 2737268177:2737268177(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 3404878673[|tcp]> (DF)
Code:
Http_connect_socket ERROR: No route to host
Thanks

Last edited by pawaan; 24th October 2013 at 12:02 PM. Reason: typo
Reply With Quote
  #5   (View Single Post)  
Old 24th October 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

The first line blocks any incoming traffic of any kind from IP addresses listed in the table <noface> that arrive on the NIC wpi0. The drop option is used, so no response is returned to those addresses notifying them that their packets cannot reach their destination. As J65nko noted, this rule will only be tested for traffic where there is no state already established -- only stateless traffic (such as ICMP) or state-establishing requests for stateful traffic (such as unsolicited TCP) will be tested against the rule. And, as the rule uses the quick option, any matching traffic will cause PF to cease rule testing and apply the block.

The second line blocks any outgoing traffic of any kind going to IP addresses listed in the table <noface> that would exit the platform via NIC wpi0. As above, the drop and quick options are used. Other systems or local applications are not informed of a failure to reach the <noface> address and no further rule testing takes place after a packet is matched.

The third line blocks TCP protocol traffic other than on the loopback logical device -- loopback is traffic that exists completely inside the computer running PF. The rule blocks TCP traffic in any direction to a range of destination TCP ports used by X Windows for networked X traffic. This rule does not use quick, so on a match the block is not performed unless this happens to be the last matching rule for this traffic. As with the previous rules, drop is used so no notification of the block is returned to the requesting application.


Are those your complete set of filtering rules? If so, PF will pass any traffic that does not match these three rules without tracking state.

If I have any general guidance, it would be:
  • Decide on on overall policy -- whether your ruleset will block everything except what is explicitly permitted, or whether your ruleset will pass everything except what is explictly blocked. If those three rules are your complete list of pass/block rules, it appears you are using the pass everything policy.
  • If you use a pass everything policy, I recommend using an explicit pass all rule at the top of your ruleset. This will keep state, and that will reduce PF overhead as stateful traffic will not be tested against rules once established.
  • I recommend using return rather than drop on block rules where appropriate, such as with your own user(s). In this way, networking applications such as browsers will be notified of blocked traffic immediately and users won't have to sit and wait for long timeouts before getting error messages.

Last edited by jggimi; 24th October 2013 at 04:16 PM. Reason: typo which changed meaning. Correction in red.
Reply With Quote
  #6   (View Single Post)  
Old 27th October 2013
pawaan pawaan is offline
Port Guard
 
Join Date: Jan 2013
Posts: 36
Thanked 0 Times in 0 Posts
Default

thanks again for the good explanation
it seems hard with a pass-everything policy as there is much to block
should I rather do a block-everything then set pass rules ?
I have OpenBSD machines supposed to only surf the web excluding a few domains. I want to make a tight policy on each without making a change to the router's parental control settings or using some relay.conf for that.
Reply With Quote
  #7   (View Single Post)  
Old 27th October 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by pawaan View Post
...
it seems hard with a pass-everything policy as there is much to block ...
You wish to block "a few domains". Your problem, though, is that PF rules use IP addresses, not domains. Why is this a problem? Because a large domain can represents hundreds or thousands of individual IP addresses, and that pool of addresses is subject to constant change.
  1. As I wrote above, PF only conducts domain name to IP address resolution a) as an administrative convenience and b) at PF start time.
  2. PF can only resolve fully qualified domain names. For example, you may want to block all possible subdomains within facebook.com or fb.com. PF cannot resolve a wildcard representation such as *.facebook.com, so it cannot block by top level domain or by domain group.
Quote:
...should I rather do a block-everything then set pass rules ?...
A block all with passing exceptions does not seem to meet your needs, based on how you described them in this thread. I'll repeat what I stated earlier in this thread. Based upon your stated requirements, I believe you are trying to use the wrong tool. PF is a wonderful hammer, but not every problem is a nail.

For your needs, I would look into using the squid package; its a very popular tool used by many OpenBSD users to solve the problem you have presented here.
Reply With Quote
  #8   (View Single Post)  
Old 29th October 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

If you want layer 7 (application) packet inspection and would prefer to avoid installing a package like squid....

Henning Brauer (henning@) gave a talk over this past weekend at vBSDcon about PF. I happened to be looking through his slides today. Slide #43 reminded me that relayd(8) can be configured to inspect and filter HTTP, and it integrates with PF. I've only used relayd to load balance a server farm; I've never used it as a filter. The relayd tool exploits PF's divert-to which is more efficient than rdr-to. If you're interested, the efficiencies are described in Henning's slides.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with just one website !? Redrobes OpenBSD General 18 7th February 2010 07:11 PM
blocking rapidshare joostvgh OpenBSD Security 39 17th January 2010 02:55 AM
Book/website recommendations for IPv6 programming mdh Programming 3 7th November 2008 07:53 PM
PF Blocking schrodinger OpenBSD Security 6 6th October 2008 10:33 PM
the website is down ai-danno Off-Topic 2 1st July 2008 11:35 PM


All times are GMT. The time now is 12:21 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick