DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 27th February 2020
victorvas victorvas is offline
Real Name: Victor
Linux
 
Join Date: May 2019
Posts: 148
Question pf and big list of sites

Hello!
I've got a big list (2000) sites that boss wants to be blocked. The list is in format of a hosts file:
Code:
127.0.0.1 badsite.com
127.0.0.1 anotherbadsite.com
...
What's the best way to block that list with pf?
Reply With Quote
  #2   (View Single Post)  
Old 27th February 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Use a table. Example:
Code:
table <boss.block> file "/path/to/a/file/containing/addresses/and/or/cidrs"
block from <boss.block>
block to <boss.block>
For more provisioning information, see the Tables section of the PF User's Guide, and for complete information, the pf.conf(5) man page.


Edited to add: tables can also be managed with pfctl(8). You can add/delete, reload an edited file, replace with a new file, etc. See the pfctl(8) man page and the -t/-T options.

Last edited by jggimi; 27th February 2020 at 12:08 PM.
Reply With Quote
  #3   (View Single Post)  
Old 27th February 2020
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

Quote:
Originally Posted by victorvas View Post
Hello!
I've got a big list (2000) sites that boss wants to be blocked. The list is in format of a hosts file:
Code:
127.0.0.1 badsite.com
127.0.0.1 anotherbadsite.com
...
What's the best way to block that list with pf?
Looking at that slice of text file I think you have domains, but not IP addresses of these domains. PF can block by matching IP addresses or CIDR but not by domain. To block that with pf you would need a program that periodically translates domains to IP addresses and reloads table with IP addresses jggimi written about.
Alternatively you can use Unbound instead to block access to domains and proxy all DNS traffic via Unbound. This has advantage that subdomains can also be easily blocked, while it would be hard to enumerate all subdomains of domain and retrieve IP addresses for each of them.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #4   (View Single Post)  
Old 27th February 2020
victorvas victorvas is offline
Real Name: Victor
Linux
 
Join Date: May 2019
Posts: 148
Default

Thanks, jggimi and e1-531g!
Indeed, I only have domain names without IP addresses.
Reply With Quote
  #5   (View Single Post)  
Old 27th February 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

A PF table-based solution is via individual IP addresses and network blocks.
The only domain resolution performed by PF is on individual FQDNs in rules files, and only once when the rules are first loaded. In practice, the boot sequence interferes unless loaded after boot through anchors.
A DNS-based solution requires that all resolution requests are forced to pass through your nameserver for address resolution. I can think of many ways a client workstation or device can defeat that. One way to enforce domain inspection is to isolate your company's IP network from the Internet, and only permit access to it through a proxy server, where you have governance of domains, URLs, even TLS inspection. One of the built-in tools, relayd(8), can perform these tasks. See the man pages for relayd(8), relayd.conf(5), and take a look at the relayd.conf example file in /etc/examples.
Reply With Quote
  #6   (View Single Post)  
Old 27th February 2020
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

Quote:
Originally Posted by jggimi View Post
I can think of many ways a client workstation or device can defeat that.
We don't know about case OP wants to cover. Maybe just wants to block ads on owned laptop? In that case it is just a matter of pointing to loopback (127.0.0.1) in /etc/resolv.conf file.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #7   (View Single Post)  
Old 27th February 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Maybe. But someone took the time to assemble (or find and download ) a large list of bad actors.
Reply With Quote
Reply

Tags
pf hosts

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Dual WAN & HTTPS Sites alpha202ej OpenBSD Security 1 31st January 2012 09:26 PM
Java vulnerability - when lyric sites attack J65nko News 0 15th April 2010 07:49 PM
Best Way to sync web sites roundkat OpenBSD General 2 14th September 2008 01:48 PM
Collect visited sites bichumo General software and network 3 8th August 2008 06:32 PM
Cool sites 18Googol2 Off-Topic 0 2nd May 2008 09:19 AM


All times are GMT. The time now is 01:30 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick