On Sat, Mar 19, 2011 at 06:05:49AM -0700, johhny_at_poland77 wrote:
> Does somebody has an idea, that what kind of iptables/pf rule must i use to
> achieve this?:
>
> i only want to allow these connections [on the output chain]:
>
> on port 53 output only allow udp - dns
> on port 80 output only allow tcp - http
> on port 443 output only allow tcp - https
> on port 993 output only allow tcp - imaps
> on port 465 output only allow tcp - smtps
> on port 22 output only allow tcp - ssh
> on port 20-21 output only allow cp - ftp
> on port 989-990 output only allow tcp - ftps
> on port 1194 output only allow udp - OpenVPN
>
> So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is
> allowed on port 443 outbound.
You can't do that with pf, since it doesn't look at the content of
packets. For some of these protocols, you can easily send traffic to a
proxy on the firewall machine; this can, for instance, be used to make
sure that everything going over port 80 is HTTP. See ftp-proxy(8). I
know of no such solution for imaps, though.
If you're just worried about people running BitTorrent/Skype, install
something like net/snort or net/bro and send angry mail to everyone who
shows up in the logs.
On the other hand, if you believe that restricting traffic to specific
protocols makes it impossible to get arbitrary data out of your network,
look at e.g. net/iodine (tunnel IPv4 over DNS).
Joachim
--
PotD: net/powerdns,-ldap - ldap module for powerdns
http://www.joachimschipper.nl/
