|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Pf.conf searching for better dns resolve possibilities
Hi everyone,
I was searching here and could not find a thread about this. If there is then sorry. I would like to do the following: I have a openbsd 6.7 for a firewall before my windows machines at home. I block everything in default and want to allow a few dns addresses to be accessible. I want this two to work: - Windows update - Gmail Dont need internet or anything else these are devices on a subnet that are there as a backup/NAS. What i did is to create a pf table that contains a few dns addresses that are for gmail and a few windows update dns that i could get my hands on + IP addresses i seen that they try to connect to the update sites. The problem is that the dns addresses that are resolved are only 1 ipv4 and 1 ipv6 address for that dns, and most of the time the machines dont connect to update/gmail, only 50%of the time with these settings. Its getting better as i read the logs and add ip addresses but this is too much so im looking for a better solution, and a permanent one that could resolve this issue once and for all, so that i dont need to read the logs every week for the rest of my life Does anybody have a list or solution for a massive list like these 2 that i could allow so that i don't need to allow everything? Thank you in advance SimpL |
|
|||
Hi, Sorry for the late reply.
Thx jggimi, i was thinking of the same solution you suggested at first. its like this: dig +nocmd google.com any +multiline +answer gives out multiple answers but sadly not all... so i would need to dig every answer/dns this first one gives me. That would be not a big of a deal if it would be like 4-5 addresses but as far as i can see google has like 10-15 and ms has the same number, and if they change i need to alter the script. Is there noone who done something like this in the past maybe or is there no list of these somewhere on the net? I found and ms one: https://answers.microsoft.com/en-us/...ca06620?auth=1 But as you look at it it has * on a few links and you know what that means..... So im a bit bumped about this. If there is no other better solution then dig it is.... Thy jggimi again for your answer. |
|
|||
An alternative could be to define a restrictive pf rule set with an empty pf anchor for gmail and another anchor for windows update.
Before using gmail you load the rules enabling gmail in the gmail anchor and when done with gmail you flush those rules from the anchor. Similar procedure for windows update. See https://www.openbsd.org/faq/pf/anchors.html#manip This way you limit the time the firewall is open for these activities. With simple shell scripts you can automate loading/flushinf these rules.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
If this were my use case, I'd probably first try to use a PF table, using a script that runs daily to update the PF table. Here's an untested example:
Code:
#!/bin/sh # 1. Load table <allowed> with resolved domain name addresses. # 2. Store the results in /var/db/allowed.addresses so that these can be loaded # on boot by rc(8) when it loads pf.conf(5). # # Note: pf.conf(5) must contain `table <allowed> persist file "/var/db/allowed.addresses"` # # a. use a temporary file to load the domain names in the here document, as dig(8) will # be used twice. # b. Type "A" records replace /var/db/allowed.addresses. # c. Type "AAAA" records append to /var/db/allowed.addresses. # d. Google's CNAME for mail.google.com is deleted with grep(1). # TMPFILE=$(mktemp /tmp/resolve.XXXXXXXX) || exit 1 cat > $TMPFILE << 'EOF' microsoft.com gmail.com mail.google.com EOF dig -f $TMPFILE -t A +short | grep -v google > /var/db/allowed.addresses dig -f $TMPFILE -t AAAA +short | grep -v google >> /var/db/allowed.addresses rm $TMPFILE pfctl -t allowed -T replace -f /var/db/allowed.addresses |
|
|||
Hi
Sorry for not posting. I tried the dig and other methods its not easy to do it this way so i gave up so that maybe later i have a good idea to solve this. I found that you can add dns to pf, but haven"t tried it yet, and the dig that Jggimi and J65nko wrote is an alternate solution that could work but it needs work. (But now i got multiple other dns addresses that would need to be set...) So im back and will try what you suggested. Thank you again. I will write back if i get any better solutions for this. Thanks again and Happy New Year |
|
||||
Another possible solution might be a transparent proxy, such as relayd(8). The EXAMPLES section in the relayd.conf(5) man page shows the blocking of an https request to a prohibited social media site.
I'd mentioned this possible solution in November, above. |
|
|||
Hi.
Thank you again for your help J65nko and jggimi. In the end i used this little code snippet: Code:
#!/bin/ksh rm /local/google while read y do dig $y -t A +short | grep -v google >> /local/google dig $y -t AAAA +short | grep -v google >> /local/google done < diggoogle.txt sed -i 's/[.]$//' /local/google pfctl -t google -T replace -f /local/google I'm checking this currently but it seams to work so far. Done the same to microsoft i don't got results just yet but will see in the next few weeks from the user computers. Set it to daily update in cron. ps.: Got the callback from the client side. It works Last edited by SimpL; 3rd February 2021 at 04:17 PM. Reason: Got results |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Linux (Centos, Red-Hat) searching intrusions | pablovalcarcel | Other OS | 5 | 15th January 2013 05:36 PM |
Weeks of searching and no answer yet - is openbsd performance good for web server ? | barti | FreeBSD General | 12 | 20th August 2012 09:06 PM |
NetBSD package searching ? | mgreen | NetBSD General | 5 | 30th January 2010 11:27 AM |
Searching and replacing weird patterns on a file. | bigb89 | Programming | 8 | 6th December 2008 06:59 PM |
searching for a SP/PDA like device, advice needed | TerryP | Off-Topic | 5 | 26th July 2008 03:54 AM |