From nobody Thu Jun 15 04:02:26 2023 X-Original-To: stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QhTCF1jgdz4cbgT for ; Thu, 15 Jun 2023 04:02:33 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QhTCB3Fpqz3Cwg for ; Thu, 15 Jun 2023 04:02:30 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=none (mx1.freebsd.org: domain of cy.schubert@cschubert.com has no SPF policy when checking 3.97.99.32) smtp.mailfrom=cy.schubert@cschubert.com; dmarc=none Received: from shw-obgw-4001a.ext.cloudfilter.net ([10.228.9.142]) by cmsmtp with ESMTP id 9Qxtq39CfLAoI9eBpq4SU9; Thu, 15 Jun 2023 04:02:29 +0000 Received: from spqr.komquats.com ([70.66.148.124]) by cmsmtp with ESMTPA id 9eBnqeHdGHFsO9eBoqkinY; Thu, 15 Jun 2023 04:02:29 +0000 X-Authority-Analysis: v=2.4 cv=XZqaca15 c=1 sm=1 tr=0 ts=648a8d55 a=Cwc3rblV8FOMdVN/wOAqyQ==:117 a=Cwc3rblV8FOMdVN/wOAqyQ==:17 a=xqWC_Br6kY4A:10 a=kj9zAlcOel0A:10 a=of4jigFt-DYA:10 a=m5QXn6DzAAAA:8 a=Q-fNiiVtAAAA:8 a=NEAV23lmAAAA:8 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=LSvh8wLa8LJD6VgE4yUA:9 a=CjuIK1q_8ugA:10 a=MVGw0nVQe49WX2woHWDl:22 a=Fp8MccfUoT0GBdDC_Lng:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 2D8A097D; Wed, 14 Jun 2023 21:02:27 -0700 (PDT) Received: from slippy (localhost [IPv6:::1]) by slippy.cwsent.com (Postfix) with ESMTP id 1275D2C1; Wed, 14 Jun 2023 21:02:27 -0700 (PDT) Date: Wed, 14 Jun 2023 21:02:26 -0700 From: Cy Schubert To: George Mitchell Cc: ml@ft-c.de, stable@FreeBSD.org Subject: Re: ipfilter block an vhost name Message-ID: <20230614210226.6f0fc0a6@slippy> In-Reply-To: References: <4cb819068e68768a8ad32f558b2225464a823dba.camel@ft-c.de> Organization: KOMQUATS X-Mailer: Claws Mail 3.19.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.0) List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-CMAE-Envelope: MS4xfPJGlMzJw6j1PfzzbYCn2wdAFVQ7h0qXIWvf8+A3N1xd+x2ks2sB0M6qWTzn/cyrGciQFToOTW/rwh3DYcQp8FWdCkuZkNuWp4v365wDr8dxDnjmvvPg oxLMYv94/y7qRzjo2bDU9Qcg9mjqjIu0cj6qI1YyBy6eYJ1KOycOv+PJOhZDekSeAk3lAcGfRfnFwNGb6imZqCNlVXX0ShVkRPKiBOiIPpC3j6Tzm8MbT5g1 oI3bWiWb7EjhLt+KISBDMA== X-Spamd-Result: default: False [-1.69 / 15.00]; AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.995]; MID_RHS_NOT_FQDN(0.50)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.32:from]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[stable@freebsd.org]; R_SPF_NA(0.00)[no SPF record]; R_DKIM_NA(0.00)[]; BLOCKLISTDE_FAIL(0.00)[70.66.148.124:server fail,3.97.99.32:server fail]; HAS_ORG_HEADER(0.00)[]; DMARC_NA(0.00)[cschubert.com: no valid DMARC record]; RCVD_COUNT_FIVE(0.00)[5]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TAGGED_RCPT(0.00)[freebsd]; RCVD_VIA_SMTP_AUTH(0.00)[] X-Rspamd-Queue-Id: 4QhTCB3Fpqz3Cwg X-Spamd-Bar: - X-ThisMailContainsUnwantedMimeParts: N On Tue, 13 Jun 2023 16:17:52 -0400 George Mitchell wrote: > On 6/13/23 16:01, ft wrote: > > Hello > > > > It is possible to block all in and/or out packages from an url > > with no logging > > any ports (or http and https) > > > > It seem it is a vhost, the ip have more url. > > > > my example: > > block in from "brigitte.de" to any > > block out from "brigitte.de" to any > > > > > > Franz > > > > > At the packet filtering level, all ipfilter has to go on are the > source and destination IP addresses in the packet itself. So even > if 'block in from "brigitte.de" to any' is syntactically acceptable > in your rule set (I believe it is not), it's still blocking on the > IP address to which the name resolves, not on the name. -- George > All packet filters -- ipfilter, ipfw, pf, npf, iptables, firewalld (iptables repackaged) -- inspect IP, TCP, UDP, and other protocol headers. They cannot inspect packet payload (the data). In the commercial world (like we use at $JOB) we have IPS (intrusion prevention devices), IDS (intrusion detection devices), API gateways (which inspect http data streams (payload), and other devices to inspect packet contents as the OP suggested. A good example of this is the Broadcom Layer7 API gateway (https://www.broadcom.com/products/software/api-management/layer7-api-gateways). Broadcom calls it an XML firewall -- they use the term firewall loosely. In the Open Source world one can install mod_security2, ModSecurity, and other application inspection tools -- some of which call themselves web application firewalls (again, they're not firewalls in the strictest sense). Some application "firewalls" are built on top of a packet filter with an application filter (many written in Java) on top of it. One could build their on XML firewall on top of FreeBSD (with ipfilter, ipfw, or pf) using an API gateway (XML firewall) such as kong (https://github.com/Kong/kong). And as suggested before, if you're trying to protect http services mod_security may work as a layer 7 (OSI model layer 7) firewall for you. Interestingly the Broadcom product, formerly CA, formerly Layer 7, a Vancouver, BC, Canada company, named their product Layer 7 for this very reason. Long story short, if you look the OSI model, the netwrok interface is at layer 1 of the OSI model. The MAC layer (ethernet) at layer 2. IP is layer 3, TCP and UDP are at the transport layer or layer 4. NFS, SQL, SMB, RPC, etc., are at the session, layer 5. Your compression and encryption protocols are at the presentation layer (layer 6). And finally http and other applications are at layer 7. ipfilter, pf, and ipfw work at layers 3 and 4, though pf can also filter at layer 2. You will need some kind of additional software to filter at layer 7. Hope this explanation helps. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0