|
|||
blocking rapidshare
hi,
i have installed openbsd 4.6. i would like to block rapidshare by adding some DNS record.. i could also block their ip range, but this might change overtime.. so if someone want to go to rapidshare.com, they will send a dns request with rapidshare.com in it.. can i add a record somewhere so that they will be given the wrong ip? (like 127.0.0.1) i added this record to my /etc/hosts file already. will this do the trick? when i ping rapidshare.com it is pinging to 127.0.0.1 but i dont know for all the users.. thx! |
|
|||
You can add a rapidshare.com zone to your DNS server configuration with 127.0.0.1 as the address.
Of course you have to enforce that the users only can use your DNS server for name lookups.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
this means i should enable dhcp on the openbsd server?
and then add NAT (all to one) ? setup: router with dhcp - openbsd - 60 clients (internet)-(81.242.5.xxx - router - 192.168.0.1)-(192.168.0.x - openbsd - 192.168.1.1)-(192.168.1.x - clients) |
|
|||
my openbsd is not using dhcp at the time
my openbsd is not acting as dns server can i just add the following: block in on $if_internal inet proto tcp from "192.168.0.1/24" to "rapidshare.com" block out on $if_external inet proto tcp from "192.168.0.1/24" to "rapidshare.com" ? i am quite new to this by the way.. i can also block the whole rapidshare.com ip range (for savvy users :P) |
|
|||
above i mentioned using the openbsd as a DNS server. then i could add a new bogus rapidshare.com zone as described in this thread: daemonforums.org/showthread.php?t=3085
if i wanted to do that i thought i had to make my openbsd also run the dhcp service to set the primary dns server as itself (to the clients connecting to it). then it would just forward all dns requests to the real dns server it got provided by the router but 'filtering; the rapidshare.com zone... |
|
|||
Quote:
- traffic from all host pc's passed through the openbsd - in /etc/hosts i add 127.0.0.1 rapidshare.com - in resolv.conf i change the order to file, bind so first the file and then the dns servers will be queried - openbsd is not dhcp nor dns - primary and secondary dns = ips dns this should get everyone querying for rapidshare.com go to 127.0.0.1, unless they go directly via rapidshare ip? for this i could add blocking rules.. |
|
||||||
Taking your quotes out of order:
Quote:
Quote:
If "rapidshare.com" is in /etc/hosts as 127.0.0.1, and your /etc/resolv.conf has "lookup file bind" then when these two rules are loaded, PF will block TCP traffic originating from 192.168.0.1/24 destined to 127.0.0.1. I don't think that is what you intend. If "rapidshare.com" is -not- in /etc/hosts, and /etc/resolv.conf resolves via an available DNS server, then the address resolution for "rapidshare.com" -at that time- will be blocked. Only for the individually resolving addresses from that one name, at the instant the rules are loaded. This will NOT block addresses of any other servers within Rapidshare's domain, such as rsdb.rapidshare.com or mail2.rapidshare.com. Nor are you blocking any other protocol traffic, just TCP. And only outbound initiated, not inbound. Your rule for $if_external will never match any traffic. Quote:
Quote:
Quote:
Quote:
|
|
|||
Ok. But I don't think there will be any pro's here who can do this..
Furthermore I can block all dns requests to other dns servers than the ones are automatically provided. Proxy is indeed a nice solution. But since I live in Belgium, upload speeds are very low, and I can accept this workaround. Ok, they can have a proxy in any other foreign country but this is very unlikely. What I am gonna do now: - add rapidshare.com to my resolve.conf. Should I add *.rapidshare.com ?; - block ALL traffic from the 21 ip's I get when I nslookup rapidshare.com; - block all domain traffic unless to my own dns servers. should this do the trick? (You can think of the users here to be regular people without alot of pc knowlegde.. ) ps: |
|
|||
Too bad I can't edit my previous post;
ps1: sorry for typo's ps2: thx for the fast reply's and help! |
|
||||
Let me give you a real-life example. My current customer has a very complex and highly secure multi-tiered network. The Internet is not directly accessible from any end-user network tier. Internet access is by proxy server only, with explicit approval granted to individuals, not to all employees. Authentication is required for access, and the access is by monitored URL only, and many URLs are blocked due to key words within them, not just domain names. (Good luck trying to read an article about Ebay's business practices or technology choices, for example. The four letters ...ebay.. -anywhere- within a URL cause it to be blocked.)
Can I get around this very strict infrastructure? Absolutely. Will I? No. I'd like to keep my customer. |
|
||||
Quote:
Quote:
|
|
|||
Ok. I thought openbsd would work as forwarding dns server automatically and answer dns requests itself by first looking in the file and then bind, but this is not the fact then.
So if I wanted to make it act as DNS, all clients should have it as their (only) dns. To do this I thought i had to enable DHCP too. So then I should add NAT too. Then if opendns were the dns server I could add rapidshare.com to its hosts file and the problem would be 'solved' (ok workarounds are always possible). I would also add all 'current' (and for our dns-servers) rapidshare ip's to a blocked list, as well as all other dns servers (other than openbsd). The 'only' way then to access rapidshare would be through another ip (which I don't know), or a proxy? If I don't make openbsd the dns server then I can only add the 21 current rapidshare ip's to a blocking rule and all other dns servers than the 2 provided by the ISP. Correct? |
|
|||||
Quote:
OpenBSD, configured as a router, will forward IP packets without inspection. If you enable PF, only the link layer is inspected (IP addresses, protocol, port, flags...), not the internal packet payloads. A DNS resolution request sent over a network must be handled by a DNS server. By convention (and RFC), these are sent either via UDP or TCP protocols, using destination port # 53. However, I can tunnel them another way, if you block external DNS traffic. Quote:
Quote:
Quote:
Quote:
Once more -- you could hunt down and block every single IP address that is actually used by Rapidshare, and set up your own DNS servers with false addresses, but you will not stop anyone from using Rapidshare who actually wants to, and is willing to spend five minutes with Google. Examples of only a few of the many technologies that could be used to defeat your "security theater" depending on its eventual configuration: SSH(The list is effectively endless. Some can be used in combination with others, or, be used by themselves.) Last edited by jggimi; 13th January 2010 at 07:01 PM. |
|
||||
Security Theater: http://en.wikipedia.org/wiki/Security_theater
|
|
|||
I was not saying that enabling DHCP/NAT was adding any security to the network.
I was just saying that was what I had to do to enable openbsd be the DNS server, to add 'security' (block rapidshare). If this won't work, what else do you suggest? Someone else told me to install a proxy like squidguard... http://forums.bsdnexus.com/viewtopic.php?id=37 but it seems like I can't add any ip to the blockings, so people here could just enter the rapidshare ip. (which I doubt they would even do, hence their low computer knowledge) |
|
|||
IMHO you or your company, whatever, have a management problem which you are trying to solve with technical means.
BTW by using DHCP you can tell the hosts which DNS server to use. If you configure a DNS server which returns 127.0.0.1 addresses for rapidshare.com, and your DHCP server hands out this nameserver's IP address to the DHCP clients, you will have reached your initial goal. Rather easy to circumvent for smart folks, but diffucult for not-so-smart folks. Get a book like Craig Hunt's "TCP/IP Network Administration' and you can configure such a nameserver within an hour or so.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
well.. i'm an ICT student @ university of hasselt. i'm in a house with 60 students, 1 internet connection.. i'm the only one studying ict..
so 'security' is not really needed, I just want to block rapidshare so everyone can enjoy internet what you said is what I wanted to do: openbsd = dhcp + dns, returns 127.0.0.1 for rapidshare. also blocking all ips from rps (when i use nslookup rapidshare.com here, everyone uses same dns server) i even doubt anyone here knowing what dns means.. in the case that openbsd = dhcp + dns i should also enable NAT imo. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Blocking MySpace | roddierod | Other OS | 3 | 12th April 2009 09:39 PM |
PF Blocking VPN Traffic | plexter | OpenBSD Security | 6 | 23rd January 2009 05:25 PM |
pf blocking php mail | ijk | FreeBSD Security | 7 | 30th October 2008 08:33 PM |
FreeBSD 7 and RapidShare | mfaridi | FreeBSD General | 9 | 20th October 2008 01:32 AM |
PF Blocking | schrodinger | OpenBSD Security | 6 | 6th October 2008 10:33 PM |