DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 22nd August 2014
bryn1u bryn1u is offline
Port Guard
 
Join Date: May 2009
Posts: 15
Thanked 0 Times in 0 Posts
Default PF only firefox traffic ?

Hey,

Many people ask my is there any way to pass only traffic from firefox to internet ? I don't mean all port 80 and 443 i mean only software like firefox. Does PF has that option ?
Reply With Quote
  #2   (View Single Post)  
Old 22nd August 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,697
Thanked 214 Times in 189 Posts
Default

No, there's no way for PF to discriminate between packets created by different browsers.

PF filters by Layer 3 protocol information -- protocols and other TCP/IP metadata. In addition, bridge devices can filter on Layer 2 MAC addresses using PF-like rule syntax, but this isn't done by PF, and still would not differentiate between a Firefox process and some other browser generating the exact same packet to the exact same webserver.

PF can also filter by userid, but only on packets which were generated on the same system where PF is running. So, if you assign your various browsers each to its own unique userid, and you were running PF on the same platform where the browsers were being used, you could assign different rules to packets originating from the different userids.

The relay daemon, relayd, can be a transparent proxy and provide packet inspections through to Layer 7, and can block and pass based on content in http and https packets. It still does not differentiate between browsers.

---

Better, I think, would be to restate your question. What is it you wish to actually accomplish?

Last edited by jggimi; 22nd August 2014 at 12:20 PM. Reason: typo, added relayd(8) comment
Reply With Quote
  #3   (View Single Post)  
Old 22nd August 2014
bryn1u bryn1u is offline
Port Guard
 
Join Date: May 2009
Posts: 15
Thanked 0 Times in 0 Posts
Default

For example: i want to pass traffic only from firefox to the internet, that's all.
Reply With Quote
  #4   (View Single Post)  
Old 22nd August 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,697
Thanked 214 Times in 189 Posts
Default

The answer, then, is "no". PF will not differentiate between a packet created by different applications. It cannot tell the difference between two different browsers reaching out to the same webserver, as it only addresses Layer 3 information.

I edited my response above to include mention of relayd, which can act as a transparent proxy and block or pass based on content within HTTP/HTTPS packets, but it too is inspecting only packets and does not differentiate between source processes.

Browsers do self-identify, using User Agent strings, but these can be easily changed and to my knowledge relayd does not inspect these.

The most popular proxy is probably Squid, which is available as a package for this OS. I don't use it. A brief look at its documentation states that it is able to log user agent strings, though I could not find anything stating it is able to filter based upon them.
Reply With Quote
  #5   (View Single Post)  
Old 23rd August 2014
Nomega Nomega is offline
New User
 
Join Date: Aug 2014
Posts: 2
Thanked 0 Times in 0 Posts
Default

There is workaround - assign Firefox to unique user or group, and pf allows filtering by users or groups.
Reply With Quote
  #6   (View Single Post)  
Old 24th August 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,697
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by Nomega View Post
There is workaround...
Hello, and welcome.

I tried to explain this in my post #2 above, but I may not have been sufficiently clear.
Reply With Quote
  #7   (View Single Post)  
Old 24th August 2014
Nomega Nomega is offline
New User
 
Join Date: Aug 2014
Posts: 2
Thanked 0 Times in 0 Posts
Default

Indeed credit goes to jggimi, I just tried to explain simpler.

I'm happy to be part of this great community.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Traffic between two vpn networks bertj FreeBSD Security 4 31st January 2013 02:44 PM
multiplexing traffic schmurfy OpenBSD General 6 26th March 2012 12:46 PM
PF Traffic Shaping question. MarcRiv OpenBSD Security 6 28th October 2009 07:22 PM
PF Blocking VPN Traffic plexter OpenBSD Security 6 23rd January 2009 05:25 PM
Upgrading firefox to firefox 3 -keeping plugins+bookmarks kasse FreeBSD Ports and Packages 11 5th July 2008 01:34 PM


All times are GMT. The time now is 06:40 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick