DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 22nd August 2014
bryn1u bryn1u is offline
Port Guard
 
Join Date: May 2009
Posts: 19
Default PF only firefox traffic ?

Hey,

Many people ask my is there any way to pass only traffic from firefox to internet ? I don't mean all port 80 and 443 i mean only software like firefox. Does PF has that option ?
Reply With Quote
  #2   (View Single Post)  
Old 22nd August 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

No, there's no way for PF to discriminate between packets created by different browsers.

PF filters by Layer 3 protocol information -- protocols and other TCP/IP metadata. In addition, bridge devices can filter on Layer 2 MAC addresses using PF-like rule syntax, but this isn't done by PF, and still would not differentiate between a Firefox process and some other browser generating the exact same packet to the exact same webserver.

PF can also filter by userid, but only on packets which were generated on the same system where PF is running. So, if you assign your various browsers each to its own unique userid, and you were running PF on the same platform where the browsers were being used, you could assign different rules to packets originating from the different userids.

The relay daemon, relayd, can be a transparent proxy and provide packet inspections through to Layer 7, and can block and pass based on content in http and https packets. It still does not differentiate between browsers.

---

Better, I think, would be to restate your question. What is it you wish to actually accomplish?

Last edited by jggimi; 22nd August 2014 at 12:20 PM. Reason: typo, added relayd(8) comment
Reply With Quote
  #3   (View Single Post)  
Old 22nd August 2014
bryn1u bryn1u is offline
Port Guard
 
Join Date: May 2009
Posts: 19
Default

For example: i want to pass traffic only from firefox to the internet, that's all.
Reply With Quote
  #4   (View Single Post)  
Old 22nd August 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

The answer, then, is "no". PF will not differentiate between a packet created by different applications. It cannot tell the difference between two different browsers reaching out to the same webserver, as it only addresses Layer 3 information.

I edited my response above to include mention of relayd, which can act as a transparent proxy and block or pass based on content within HTTP/HTTPS packets, but it too is inspecting only packets and does not differentiate between source processes.

Browsers do self-identify, using User Agent strings, but these can be easily changed and to my knowledge relayd does not inspect these.

The most popular proxy is probably Squid, which is available as a package for this OS. I don't use it. A brief look at its documentation states that it is able to log user agent strings, though I could not find anything stating it is able to filter based upon them.
Reply With Quote
  #5   (View Single Post)  
Old 23rd August 2014
Nomega Nomega is offline
New User
 
Join Date: Aug 2014
Posts: 3
Default

There is workaround - assign Firefox to unique user or group, and pf allows filtering by users or groups.
Reply With Quote
  #6   (View Single Post)  
Old 24th August 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by Nomega View Post
There is workaround...
Hello, and welcome.

I tried to explain this in my post #2 above, but I may not have been sufficiently clear.
Reply With Quote
  #7   (View Single Post)  
Old 24th August 2014
Nomega Nomega is offline
New User
 
Join Date: Aug 2014
Posts: 3
Default

Indeed credit goes to jggimi, I just tried to explain simpler.

I'm happy to be part of this great community.
Reply With Quote
  #8   (View Single Post)  
Old 5th November 2014
gso gso is offline
Port Guard
 
Join Date: Nov 2014
Posts: 35
Default

Is it not possible to filter on PID?

Seems to be an iptables option --pid-owner processid

Last edited by gso; 5th November 2014 at 04:51 AM.
Reply With Quote
  #9   (View Single Post)  
Old 5th November 2014
vanGrimoire's Avatar
vanGrimoire vanGrimoire is offline
Port Guard
 
Join Date: Nov 2012
Posts: 43
Default

new user:group -> firefox:firefox
userid firefox -> /usr/local/bin/firefox
pf firefox -> internet

I tried it, setup a ufirefox user, add a password (required), copied my .mozilla and .cache files to /home/ufirefox, su into ufirefox and I get "can't display on :0.0" so I run xhost +ufirefox and still no bones. I run xhost + for permission for all local users to connect to X and it runs - until it freezes.

Last edited by vanGrimoire; 6th November 2014 at 01:57 AM.
Reply With Quote
Old 5th November 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by gso View Post
Is it not possible to filter on PID?
No. See pf.conf(5).
Quote:
Originally Posted by vanGrimoire View Post
...it runs - until it freezes.
You can eliminate your PF configuration as the problem source only by testing the configuration by logging block (or pass) actions, and then checking logs with tcpdump(8) against pflog(4) or /var/log/pflog.

If you want to determine if your cross-user configuration is a problem source, try logging in and running X as that user, and see if the behaviour changes.
Reply With Quote
Old 6th November 2014
vanGrimoire's Avatar
vanGrimoire vanGrimoire is offline
Port Guard
 
Join Date: Nov 2012
Posts: 43
Default

Thanks, it was a permissions issue after trying to copy my config files into the ufirefox home directory. I wiped those out and it came right up.

I've added the following to my .xsession file.
Code:
xhost +
ufirefox has a profile folder
Code:
alias firefox='ulimit -d 1048576; firefox'
user profile info
Code:
userinfo ufirefox
login    ufirefox
..
groups ufirefox
class staff
gecos ufirefox
dir /home/ufirefox
shell /bin/ksh
Reply With Quote
Old 7th November 2014
vanGrimoire's Avatar
vanGrimoire vanGrimoire is offline
Port Guard
 
Join Date: Nov 2012
Posts: 43
Default

Well the next step is actually easier, though more time consuming, than I thought it would be. You'll compile, run, and configure systrace for the ufirefox user.

http://www.informit.com/articles/article.aspx?p=363731

finally, man pf.conf


Code:
block out proto tcp all 
pass  out proto tcp from self user { < 1000, dhartmei }
Reply With Quote
Old 7th November 2014
vanGrimoire's Avatar
vanGrimoire vanGrimoire is offline
Port Guard
 
Join Date: Nov 2012
Posts: 43
Default

It's working! I will have to fine tune the systrace configuration. I think I will rename the ufirefox user to a more apt web user or wsh for web shell. Root cannot run firefox or install packages, at least not without downloading them locally first.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Traffic between two vpn networks bertj FreeBSD Security 4 31st January 2013 02:44 PM
multiplexing traffic schmurfy OpenBSD General 6 26th March 2012 12:46 PM
PF Traffic Shaping question. MarcRiv OpenBSD Security 6 28th October 2009 07:22 PM
PF Blocking VPN Traffic plexter OpenBSD Security 6 23rd January 2009 05:25 PM
Upgrading firefox to firefox 3 -keeping plugins+bookmarks kasse FreeBSD Ports and Packages 11 5th July 2008 01:34 PM


All times are GMT. The time now is 05:55 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick