Re: ipfilter block an vhost name

In reply to: George Mitchell : "Re: ipfilter block an vhost name"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Thu, 15 Jun 2023 04:02:26 UTC
On Tue, 13 Jun 2023 16:17:52 -0400
George Mitchell <george+freebsd@m5p.com> wrote:

> On 6/13/23 16:01, ft wrote:
> > Hello
> > 
> > It is possible to block all in and/or out packages from an url
> > with no logging
> > any ports (or http and https)
> > 
> > It seem it is a vhost, the ip have more url.
> > 
> > my example:
> > block in  from "brigitte.de" to any
> > block out from "brigitte.de" to any
> > 
> > 
> > Franz
> > 
> >   
> At the packet filtering level, all ipfilter has to go on are the
> source and destination IP addresses in the packet itself.  So even
> if 'block in from "brigitte.de" to any' is syntactically acceptable
> in your rule set (I believe it is not), it's still blocking on the
> IP address to which the name resolves, not on the name.     -- George
> 

All packet filters -- ipfilter, ipfw, pf, npf, iptables, firewalld
(iptables repackaged) -- inspect IP, TCP, UDP, and other protocol
headers. They cannot inspect packet payload (the data). In the
commercial world (like we use at $JOB) we have IPS (intrusion
prevention devices), IDS (intrusion detection devices), API gateways
(which inspect http data streams (payload), and other devices to
inspect packet contents as the OP suggested. A good example of this is
the Broadcom Layer7 API gateway
(https://www.broadcom.com/products/software/api-management/layer7-api-gateways).
Broadcom calls it an XML firewall -- they use the term firewall loosely.

In the Open Source world one can install mod_security2, ModSecurity,
and other application inspection tools -- some of which call themselves
web application firewalls (again, they're not firewalls in the strictest
sense).

Some application "firewalls" are built on top of a packet filter with
an application filter (many written in Java) on top of it. One could
build their on XML firewall on top of FreeBSD (with ipfilter, ipfw, or
pf) using an API gateway (XML firewall) such as kong
(https://github.com/Kong/kong).

And as suggested before, if you're trying to protect http services
mod_security may work as a layer 7 (OSI model layer 7) firewall for
you. Interestingly the Broadcom product, formerly CA, formerly Layer
7, a Vancouver, BC, Canada company, named their product Layer 7 for
this very reason.

Long story short, if you look the OSI model, the netwrok interface is
at layer 1 of the OSI model. The MAC layer (ethernet) at layer 2. IP is
layer 3, TCP and UDP are at the transport layer or layer 4. NFS, SQL,
SMB, RPC, etc., are at the session, layer 5. Your compression and
encryption protocols are at the presentation layer (layer 6). And
finally http and other applications are at layer 7.

ipfilter, pf, and ipfw work at layers 3 and 4, though pf can also
filter at layer 2. You will need some kind of additional software to
filter at layer 7.

Hope this explanation helps.

-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e^(i*pi)+1=0