Re: Firewall rules to block unwanted protocolls on given ports
On Sat, Mar 19, 2011 at 06:05:49AM -0700, johhny_at_poland77 wrote: > Does somebody has an idea, that what kind of iptables/pf rule must i use to > achieve this?: > > i only want to allow these connections [on the output chain]: > > on port 53 output only allow udp - dns > on port 80 output only allow tcp - http > on port 443 output only allow tcp - https > on port 993 output only allow tcp - imaps > on port 465 output only allow tcp - smtps > on port 22 output only allow tcp - ssh > on port 20-21 output only allow cp - ftp > on port 989-990 output only allow tcp - ftps > on port 1194 output only allow udp - OpenVPN > > So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is > allowed on port 443 outbound. > > Any ideas? :\ Your question is very ambiguous. On which layer do you want to do the filtering?
Re: Firewall rules to block unwanted protocolls on given ports
On 19 Mar 2011, at 09:05, johhny_at_poland77 wrote: > Does somebody has an idea, that what kind of iptables/pf rule must i use to achieve this?: > > i only want to allow these connections [on the output chain]: > > on port 53 output only allow udp - dns TCP also needs to be allowed for DNS (to allow for large DNSSEC packets). Michael
Re: Firewall rules to block unwanted protocolls on given ports
On Sat, Mar 19, 2011 at 06:05:49AM -0700, johhny_at_poland77 wrote: > Does somebody has an idea, that what kind of iptables/pf rule must i use to > achieve this?: > > i only want to allow these connections [on the output chain]: > > on port 53 output only allow udp - dns > on port 80 output only allow tcp - http > on port 443 output only allow tcp - https > on port 993 output only allow tcp - imaps > on port 465 output only allow tcp - smtps > on port 22 output only allow tcp - ssh > on port 20-21 output only allow cp - ftp > on port 989-990 output only allow tcp - ftps > on port 1194 output only allow udp - OpenVPN > > So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is > allowed on port 443 outbound. You can't do that with pf, since it doesn't look at the content of packets. For some of these protocols, you can easily send traffic to a proxy on the firewall machine; this can, for instance, be used to make sure that everything going over port 80 is HTTP. See ftp-proxy(8). I know of no such solution for imaps, though. If you're just worried about people running BitTorrent/Skype, install something like net/snort or net/bro and send angry mail to everyone who shows up in the logs. On the other hand, if you believe that restricting traffic to specific protocols makes it impossible to get arbitrary data out of your network, look at e.g. net/iodine (tunnel IPv4 over DNS). Joachim -- PotD: net/powerdns,-ldap - ldap module for powerdns http://www.joachimschipper.nl/
Re: Firewall rules to block unwanted protocolls on given ports
On Sat, Mar 19, 2011 at 2:05 PM, johhny_at_poland77 wrote: > Does somebody has an idea, that what kind of iptables/pf rule must i use to > achieve this?: > > i only want to allow these connections [on the output chain]: > > on port 53 output only allow udp - dns > on port 80 output only allow tcp - http > on port 443 output only allow tcp - https > on port 993 output only allow tcp - imaps > on port 465 output only allow tcp - smtps > on port 22 output only allow tcp - ssh > on port 20-21 output only allow cp - ftp > on port 989-990 output only allow tcp - ftps > on port 1194 output only allow udp - OpenVPN > > So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is > allowed on port 443 outbound. > > Any ideas? :\ > > Yes, write some sort of traffic-classification daemon that uses divert sockets to pass/deny traffic based on what that traffic is. I will personally check it in to the ports system once you are done and it has undergone a complete audit.
Re: Firewall rules to block unwanted protocolls on given ports
On 19 March 2011 10:22, Christiano F. Haesbaert wrote: > On 19 March 2011 10:05, johhny_at_poland77 > wrote: >> Does somebody has an idea, that what kind of iptables/pf rule must i use to >> achieve this?: >> > iptables is linux thingy, so is out of the equation. > >> i only want to allow these connections [on the output chain]: >> >> on port 53 output only allow udp - dns >> on port 80 output only allow tcp - http >> on port 443 output only allow tcp - https >> on port 993 output only allow tcp - imaps >> on port 465 output only allow tcp - smtps >> on port 22 output only allow tcp - ssh >> on port 20-21 output only allow cp - ftp >> on port 989-990 output only allow tcp - ftps >> on port 1194 output only allow udp - OpenVPN >> >> So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is >> allowed on port 443 outbound. >> >> Any ideas? :\ >> > To my knowledge pf doesn't do layer 7 filtering, and from what I've hear that is not a wanted feature, but pf hackers might know it better.
Re: Firewall rules to block unwanted protocolls on given ports
On Sat, Mar 19, 2011 at 06:05:49AM -0700, johhny_at_poland77 wrote: > Does somebody has an idea, that what kind of iptables/pf rule must i use to > achieve this?: > > i only want to allow these connections [on the output chain]: > > on port 53 output only allow udp - dns > on port 80 output only allow tcp - http > on port 443 output only allow tcp - https > on port 993 output only allow tcp - imaps > on port 465 output only allow tcp - smtps > on port 22 output only allow tcp - ssh > on port 20-21 output only allow cp - ftp > on port 989-990 output only allow tcp - ftps > on port 1194 output only allow udp - OpenVPN > > So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is > allowed on port 443 outbound. > > Any ideas? :\ Yes. Read pf.conf(4): "pf(4) has the ability to block, pass, and match packets based on attributes of their layer 3 and layer 4 headers." That sentence contains the answer. -Otto
