|
General software and network General OS-independent software and network questions, X11, MTA, routing, etc. |
|
Thread Tools | Display Modes |
|
|||
blocking a website with pf
Hello
I'm a total newbie in pf and want to block www.facebook.com I made a change to pf.conf Code:
table <noface> persist file "/etc/pf.noface.conf" Code:
block drop in log (all) quick on $ext_if from <noface> to any Is it correct to do without 'pass' ? can you help me make such blocks better? Thank you Pawaan. Last edited by pawaan; 24th October 2013 at 04:11 AM. Reason: typo : such |
|
||||
Quote:
Quote:
Code:
pass all block all Code:
block all pass proto tcp from any to any port 80 block proto tcp from any to 10.10.0.0/16 port 80 Blocking facebook.com: PF or squid? Sorry: Facebook again |
|
|||
If you keep state on outgoing http traffic, the incoming traffic matches the state and thus will be automatically allowed in.
From pf.conf(5): Code:
By default pf(4) filters packets statefully: the first time a packet matches a pass rule, a state entry is created. The packet filter examines each packet to see if it matches an existing state. If it does, the packet is passed without evaluation of any rules. Code:
block drop out log (all) quick on $ext_if from any to <noface>
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Thank you very much both of you
Quote:
# pfctl -s rules Code:
block drop in log (all) quick on wpi0 from <noface> to any block drop out log (all) quick on wpi0 from any to <noface> block drop in on ! lo0 proto tcp from any to any port 6000:6010 # tcpdump -eni pflog0tcpdump -eni pflog0 Code:
tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG 05:06:17.454942 rule 1/(match) block out on wpi0: 192.168.1.4.47172 > 31.13.83.8.80: S 2737268177:2737268177(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 3404878673[|tcp]> (DF) Code:
Http_connect_socket ERROR: No route to host Last edited by pawaan; 24th October 2013 at 12:02 PM. Reason: typo |
|
|||
thanks again for the good explanation
it seems hard with a pass-everything policy as there is much to block should I rather do a block-everything then set pass rules ? I have OpenBSD machines supposed to only surf the web excluding a few domains. I want to make a tight policy on each without making a change to the router's parental control settings or using some relay.conf for that. |
|
||||
Quote:
Quote:
For your needs, I would look into using the squid package; its a very popular tool used by many OpenBSD users to solve the problem you have presented here. |
|
||||
If you want layer 7 (application) packet inspection and would prefer to avoid installing a package like squid....
Henning Brauer (henning@) gave a talk over this past weekend at vBSDcon about PF. I happened to be looking through his slides today. Slide #43 reminded me that relayd(8) can be configured to inspect and filter HTTP, and it integrates with PF. I've only used relayd to load balance a server farm; I've never used it as a filter. The relayd tool exploits PF's divert-to which is more efficient than rdr-to. If you're interested, the efficiencies are described in Henning's slides. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Problem with just one website !? | Redrobes | OpenBSD General | 18 | 7th February 2010 07:11 PM |
blocking rapidshare | joostvgh | OpenBSD Security | 39 | 17th January 2010 02:55 AM |
Book/website recommendations for IPv6 programming | mdh | Programming | 3 | 7th November 2008 07:53 PM |
PF Blocking | schrodinger | OpenBSD Security | 6 | 6th October 2008 10:33 PM |
the website is down | ai-danno | Off-Topic | 2 | 1st July 2008 11:35 PM |