|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Blocking All HTTP and HTTPS Traffic
Hi,
I have setup a Proxy server on my LAN and I want to restrict all the HTTP and HTTPS traffic from my PF. I want to allow HTTP and HTTPS traffic only to my Proxy server not to any other PC on my LAN. How can I achieve the above? I tried the following code but it gave a syntax error. Code:
lan="{192.168.94.0/24}" proxy="192.168.94.49" Code:
block out tcp from $lan to any port {80,443} pass out tcp from $proxy to any port {80,443} Last edited by ocicat; 31st October 2016 at 11:59 AM. Reason: Please wrap code with [code] & [/code] tags. |
|
|||
Hi Jggimi,
Thanks for the information. I put the following rules Code:
block out on $int_if proto tcp from $lan to any port = http block out on $int_if proto tcp from $lan to any port = https pass out on $int_if proto tcp from $proxy to any port = http keep state pass out on $int_if proto tcp from $proxy to any port = https keep state Do I have to apply these rules before " pass out keep state " section? Thanks Last edited by ocicat; 31st October 2016 at 12:01 PM. Reason: Please wrap code with [code] & [/code] tags. |
|
||||
Let us review the PF User's Guide, which states:
Quote:
Add logging to your PF rule set: Code:
match log Code:
# tcpdump -neti pflog0 Code:
# pfctl -sr -R 37 Last edited by jggimi; 31st October 2016 at 10:34 AM. Reason: typos, clarity |
|
|||
Can we see your entire pf.conf file?
|
|
|||
Hi Junkym, Jggimi
I add the rules at the bottom of the pf.conf file, still I can access http and https traffic without the proxy server. My pf.conf is attached herewith. Thanks |
|
|||
My first thought is to add these lines towards the bottom of the file:
Code:
# BLOCK IT ALL ON INTERNAL NIC block on $int_if all # REDIRECT http, https LAN TRAFFIC TO PROXY SERVER pass in on $int_if proto tcp from $lan to any port { http https } \ rdr-to $proxy # LET http, https OUT FROM PROXY SERVER pass out on $proxy proto tcp to any port { http https } |
|
|||
Thanks a lot Junkym,
I'll try these rules carefully and get back to you. |
|
|||
Quote:
I do think this particular pf.conf would greatly benefit from a clean-up. |
|
||||
And I continue to recommend the steps I recommended in reply #4 above.
With that simple test, Amithapr would discover the rule that is unintentionally passing the traffic that should be blocked. There are three possibilities:
Last edited by jggimi; 1st November 2016 at 10:59 PM. Reason: typo, clarity, and even more clarity. |
|
|||
Quote:
I tried these rules on my live firewall. All the http and https traffic had been blocked due to the above rules. I couldn't browse the internet via proxy as well. Thanks. |
|
|||
Hi Jggimi, Junkym
If I Apply the following rule-set for the firewall is it OK? Code:
# BLOCK IT ALL ON INTERNAL NIC block on $int_if all # REDIRECT http, https LAN TRAFFIC TO PROXY SERVER pass in on $int_if proto tcp from $lan to any port { http https } \ rdr-to $proxy # LET http, https OUT FROM PROXY SERVER pass out on $int_if proto tcp from $proxy to any port { http https } keep state Last edited by ocicat; 7th November 2016 at 11:48 AM. Reason: Please use [code] & [/code] tags when posting code snippets. |
|
||||
Your first rule blocks all traffic on your internal interface. Your second rule passes inbound traffic on that interface if it is TCP and has a destination port of 80 or 443.
Problems I see:
|
|
|||
Hi Jggimi,
I changes my rule set as follows Code:
# BLOCK IT ALL ON INTERNAL NIC block on $int_if all # REDIRECT http, https LAN TRAFFIC TO PROXY SERVER pass in on $int_if proto tcp from $lan to any port { http https } rdr-to $proxy # LET http, https OUT FROM PROXY SERVER pass out on $ext_if proto tcp from $proxy to any port { http https } keep state # For DNS Traffic pass in on $int_if proto { tcp, udp } from any to any port = 53 keep state Thanks |
|
||||
I'll guess that your outbound DNS traffic is still blocked, because you are only permitting inbound DNS, not outbound DNS.
Avoid the use of "in" "out" and "on" in your rule sets unless absolutely necessary. I'm tired of guessing. You have been struggling with this particular configuration problem for weeks. So I'll restate what I've tried to state before, and try to be as clear as I can be.
Last edited by jggimi; 15th November 2016 at 12:16 PM. Reason: clarity, typos |
|
|||
Hi Jggimi,
I changed my rules so that the DNS outbound traffic also pass through the firewall( rules are given below). But still I cannot access the internet directly or using the proxy. the "tcpdump -neti pflog0 | tee /tmp/my.pf.log.output" commands output file is attahced herewith. Code:
# BLOCK IT ALL ON INTERNAL NIC block on $int_if all # REDIRECT http, https LAN TRAFFIC TO PROXY SERVER pass in on $int_if proto tcp from $lan to any port { http https } rdr-to $proxy # LET http, https OUT FROM PROXY SERVER pass out on $ext_if proto tcp from $proxy to any port { http https } keep state # For DNS Traffic pass in on $int_if proto { tcp, udp } from any to any port = 53 keep state pass out on $int_if proto { tcp, udp } from any to any port = 53 keep state |
|
||||
Have you looked at this log you posted?
Also as I've posted above, be very careful with in, out, and on. Your most recent fragment shows DNS traffic is still not permitted to transit your external interface. |
|
||||
I've been thinking further about your log output, and why I am seeing rules which match but do not block. I reviewed the pf.conf(5) man page.
I provided misleading information. My apologies. A match log is not "sticky" - it does not apply to subsequent pass and block rules. Your rule 14 logs a block, most likely because there is a log parameter on your rule 14. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
blocking rapidshare | joostvgh | OpenBSD Security | 39 | 17th January 2010 02:55 AM |
PF Blocking VPN Traffic | plexter | OpenBSD Security | 6 | 23rd January 2009 05:25 PM |
Firewall Blocking Good Traffic | plexter | OpenBSD Security | 6 | 8th January 2009 05:58 PM |
pf blocking php mail | ijk | FreeBSD Security | 7 | 30th October 2008 08:33 PM |
PF Blocking | schrodinger | OpenBSD Security | 6 | 6th October 2008 10:33 PM |