Firewall rules to block unwanted protocolls on given ports
Does somebody has an idea, that what kind of iptables/pf rule must i use to achieve this?: i only want to allow these connections [on the output chain]: on port 53 output only allow udp - dns on port 80 output only allow tcp - http on port 443 output only allow tcp - https on port 993 output only allow tcp - imaps on port 465 output only allow tcp - smtps on port 22 output only allow tcp - ssh on port 20-21 output only allow cp - ftp on port 989-990 output only allow tcp - ftps on port 1194 output only allow udp - OpenVPN So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is allowed on port 443 outbound. Any ideas? :\
Re: Firewall rules to block unwanted protocolls on given ports
On Sat, Mar 19, 2011 at 06:05:49AM -0700, johhny_at_poland77 wrote: Does somebody has an idea, that what kind of iptables/pf rule must i use to achieve this?: i only want to allow these connections [on the output chain]: on port 53 output only allow udp - dns on port 80 output only allow tcp - http on port 443 output only allow tcp - https on port 993 output only allow tcp - imaps on port 465 output only allow tcp - smtps on port 22 output only allow tcp - ssh on port 20-21 output only allow cp - ftp on port 989-990 output only allow tcp - ftps on port 1194 output only allow udp - OpenVPN So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is allowed on port 443 outbound. Any ideas? :\ Yes. Read pf.conf(4): pf(4) has the ability to block, pass, and match packets based on attributes of their layer 3 and layer 4 headers. That sentence contains the answer. -Otto
Re: Firewall rules to block unwanted protocolls on given ports
On 19 March 2011 10:22, Christiano F. Haesbaert haesba...@haesbaert.org wrote: On 19 March 2011 10:05, johhny_at_poland77 johhny_at_polan...@zoho.com wrote: Does somebody has an idea, that what kind of iptables/pf rule must i use to achieve this?: iptables is linux thingy, so is out of the equation. i only want to allow these connections [on the output chain]: on port 53 output only allow udp - dns on port 80 output only allow tcp - http on port 443 output only allow tcp - https on port 993 output only allow tcp - imaps on port 465 output only allow tcp - smtps on port 22 output only allow tcp - ssh on port 20-21 output only allow cp - ftp on port 989-990 output only allow tcp - ftps on port 1194 output only allow udp - OpenVPN So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is allowed on port 443 outbound. Any ideas? :\ To my knowledge pf doesn't do layer 7 filtering, and from what I've hear that is not a wanted feature, but pf hackers might know it better.
Re: Firewall rules to block unwanted protocolls on given ports
On Sat, Mar 19, 2011 at 2:05 PM, johhny_at_poland77 johhny_at_polan...@zoho.com wrote: Does somebody has an idea, that what kind of iptables/pf rule must i use to achieve this?: i only want to allow these connections [on the output chain]: on port 53 output only allow udp - dns on port 80 output only allow tcp - http on port 443 output only allow tcp - https on port 993 output only allow tcp - imaps on port 465 output only allow tcp - smtps on port 22 output only allow tcp - ssh on port 20-21 output only allow cp - ftp on port 989-990 output only allow tcp - ftps on port 1194 output only allow udp - OpenVPN So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is allowed on port 443 outbound. Any ideas? :\ Yes, write some sort of traffic-classification daemon that uses divert sockets to pass/deny traffic based on what that traffic is. I will personally check it in to the ports system once you are done and it has undergone a complete audit.
Re: Firewall rules to block unwanted protocolls on given ports
On Sat, Mar 19, 2011 at 06:05:49AM -0700, johhny_at_poland77 wrote: Does somebody has an idea, that what kind of iptables/pf rule must i use to achieve this?: i only want to allow these connections [on the output chain]: on port 53 output only allow udp - dns on port 80 output only allow tcp - http on port 443 output only allow tcp - https on port 993 output only allow tcp - imaps on port 465 output only allow tcp - smtps on port 22 output only allow tcp - ssh on port 20-21 output only allow cp - ftp on port 989-990 output only allow tcp - ftps on port 1194 output only allow udp - OpenVPN So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is allowed on port 443 outbound. You can't do that with pf, since it doesn't look at the content of packets. For some of these protocols, you can easily send traffic to a proxy on the firewall machine; this can, for instance, be used to make sure that everything going over port 80 is HTTP. See ftp-proxy(8). I know of no such solution for imaps, though. If you're just worried about people running BitTorrent/Skype, install something like net/snort or net/bro and send angry mail to everyone who shows up in the logs. On the other hand, if you believe that restricting traffic to specific protocols makes it impossible to get arbitrary data out of your network, look at e.g. net/iodine (tunnel IPv4 over DNS). Joachim -- PotD: net/powerdns,-ldap - ldap module for powerdns http://www.joachimschipper.nl/
Re: Firewall rules to block unwanted protocolls on given ports
On 19 Mar 2011, at 09:05, johhny_at_poland77 wrote: Does somebody has an idea, that what kind of iptables/pf rule must i use to achieve this?: i only want to allow these connections [on the output chain]: on port 53 output only allow udp - dns TCP also needs to be allowed for DNS (to allow for large DNSSEC packets). Michael
Re: Firewall rules to block unwanted protocolls on given ports
On Sat, Mar 19, 2011 at 06:05:49AM -0700, johhny_at_poland77 wrote: Does somebody has an idea, that what kind of iptables/pf rule must i use to achieve this?: i only want to allow these connections [on the output chain]: on port 53 output only allow udp - dns on port 80 output only allow tcp - http on port 443 output only allow tcp - https on port 993 output only allow tcp - imaps on port 465 output only allow tcp - smtps on port 22 output only allow tcp - ssh on port 20-21 output only allow cp - ftp on port 989-990 output only allow tcp - ftps on port 1194 output only allow udp - OpenVPN So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is allowed on port 443 outbound. Any ideas? :\ Your question is very ambiguous. On which layer do you want to do the filtering?