|
|
|||
This is a simple pf.conf to block everything, except the ports mentioned in the TCPservices and UDPservices definitions.
Code:
EXT=re0 TCPservices = "{ www https domain }" UDPservices = "{ domain }" set skip on lo0 block log all pass out quick on $EXT inet proto tcp from any to any port $TCPservices pass out quick on $EXT inet proto udp from any to any port $UDPservices Code:
# pfctl -vvnf block-all.pf EXT = "re0" TCPservices = "{ www https domain }" UDPservices = "{ domain }" set skip on { lo0 } @0 block drop log all @1 pass out quick on re0 inet proto tcp from any to any port = www flags S/SA keep state @2 pass out quick on re0 inet proto tcp from any to any port = https flags S/SA keep state @3 pass out quick on re0 inet proto tcp from any to any port = domain flags S/SA keep state @4 pass out quick on re0 inet proto udp from any to any port = domain keep state
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
Block IDM-DAP-P2P
Quote:
thanks for your answer but as you know IDM and some internet download managers and accelerators are use port 80=www for download , and if we open this port with your config we can not block it ???? what i have to do ??? and of course IDM used simultaneously connections maybe 8 or even higher that this number for getting or down loading software ,, therefore we can not block them with this config EXT=re0 TCPservices = "{ www https domain }" UDPservices = "{ domain }" set skip on lo0 block log all pass out quick on $EXT inet proto tcp from any to any port $TCPservices pass out quick on $EXT inet proto udp from any to any port $UDPservices |
|
|||
I don't know any of those download managers, the only one download manager I know is ftp, and that is blocked by this pf.conf
So it is time to print out and study the pf.conf man page. The following should give you a start. Code:
For stateful TCP connections, limits on established connections (connec- tions which have completed the TCP 3-way handshake) can also be enforced per source IP. max-src-conn <number> Limits the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make. max-src-conn-rate <number> / <seconds> Limit the rate of new connections over a time interval. The con- nection rate is an approximation calculated as a moving average. Because the 3-way handshake ensures that the source address is not being spoofed, more aggressive action can be taken based on these limits. With the overload <table> state option, source IP addresses which hit either of the limits on established connections will be added to the named table. This table can be used in the ruleset to block further activity from the offending host, redirect it to a tarpit process, or restrict its bandwidth.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
As suggested by J65nko, you can limit this using pf.. but you can also typically do this from within the HTTP servers configuration files (..or by using a module).
|
|
|||
Sounds like you want to keep port 80 open for normal web browsing but want to stop certain programs from using it (eg. download manager)
The only way I can think of to do this would be use a firewall/filter device that does Layer 4/Deep Packet Inspection (DPI - actually looks inside the data packet being sent). I believe OpenBSD is a layer 3 firewall device only. I may be wrong here but the only way you might be able to achieve this with OpenBSD would be block everything and force everyone to go through some sort of proxy/filter program that performs this type of DPI. Even then your mileage may vary as the smarter download mangers may emulate common web browsers anyway as far as their http send requests go. The suggestion above about limiting TCP connections per IP is probably the easiest way that is actually built into OpenBSD but still won't stop savvy users from using these programs if they tune them to use a lower connection count. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
block spam | milo974 | OpenBSD Security | 1 | 26th May 2009 11:30 AM |
New tool on the block - scrypt | s0xxx | FreeBSD Security | 2 | 21st May 2009 07:48 AM |
Automaticaly block IPs with PF | DNAeon | FreeBSD Installation and Upgrading | 7 | 20th February 2009 02:06 AM |
Questions about Epiphany and block up popup | aleunix | OpenBSD Packages and Ports | 0 | 14th June 2008 06:18 AM |
BSD n00b needs to block incoming SQL on 3306 | renolinux | FreeBSD Security | 5 | 27th May 2008 02:26 PM |