Re: pf blocking nets in a way like *.google.com ?
Nick Holland wrote: I've been a fan of DNS mangling to deal with this problem for some time. Technically, it is a horribly flawed system. Practically, it works, and works very easily. More: http://www.holland-consulting.net/tech/imblock.html And if you use BIND, see here: http://www.deer-run.com/~hal/sysadmin/dns-advert.html http://www.bleedingsnort.com/blackhole-dns/
Re: pf blocking nets in a way like *.google.com ?
On Sat, 22 Apr 2006 11:09:29 +0100, Craig Skinner wrote: Nick Holland wrote: I've been a fan of DNS mangling to deal with this problem for some time. Technically, it is a horribly flawed system. Practically, it works, and works very easily. More: http://www.holland-consulting.net/tech/imblock.html And if you use BIND, see here: http://www.deer-run.com/~hal/sysadmin/dns-advert.html http://www.bleedingsnort.com/blackhole-dns/ Even easier: Use dnsspoof from the dsniff package. It will even run on a firewal and do the trick on $int_if traffic. There's always a catch though: One time I had trouble trying to browse www.linksys.com - with good reason, the wild-card file list had something like *.link*.com in it. It is a really neat way of doing a few other things though. It can act like a master hosts file and serve up local resolutions for RFC1918 hosts on your LAN which saves doing a split BIND setup when you just run the default caching-only setup. It will also handle resolving www.example.com (where that is your domain webserver) by serving up 192.168.x.y for a machine that has that as its LAN IP and which the public reaches with rdr rules in pf.conf. 'Tain't perfect but it is really easy to do. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: pf blocking nets in a way like *.google.com ?
[EMAIL PROTECTED] wrote: That doesn`t mean I can use *.google.com but I would be able to use www.google.com if I understood the FAQ and the manual correctly. Because I may not be bale to know every Hostname in a foreign network a Joker would be a neat solution. Is it maybe planed to add any joker to PF so that such stuff would be possible in the future if it isn`t already possible? Why isn't it feasible to use Googles allocated netblock (216.239.32.0/19)? Maybe you could use a script to update a table in pf using whois and grep for the CIDR/Netrange in the reply. Greets, Falk
Re: pf blocking nets in a way like *.google.com ?
On Friday 21 April 2006 17:52, Falk Husemann wrote: Why isn't it feasible to use Googles allocated netblock (216.239.32.0/19)? Because there's nothing that says that every *.google.com site has to be within a block allocated to Google. --- Lars Hansson
Re: pf blocking nets in a way like *.google.com ?
Lars Hansson wrote: Why isn't it feasible to use Googles allocated netblock (216.239.32.0/19)? Because there's nothing that says that every *.google.com site has to be within a block allocated to Google. Duh. The obvious solution is to have pf make a DNS lookup on each and every packet that arrives. Moritz
Re: pf blocking nets in a way like *.google.com ?
On 21/04/06, Moritz Grimm [EMAIL PROTECTED] wrote: Lars Hansson wrote: Why isn't it feasible to use Googles allocated netblock (216.239.32.0/19 )? Because there's nothing that says that every *.google.com site has to be within a block allocated to Google. Duh. The obvious solution is to have pf make a DNS lookup on each and every packet that arrives. Good stuff, disarm the subject with humour. /Tony
Re: pf blocking nets in a way like *.google.com ?
What do the client systems run? if they are on windows 2000/2003 Domain, use a GPO and block them as untrusted. Just a thought because what you want is done above PF James - Original Message - From: tony sarendal [EMAIL PROTECTED] To: misc misc@openbsd.org Sent: Friday, April 21, 2006 7:46 AM Subject: Re: pf blocking nets in a way like *.google.com ? On 21/04/06, Moritz Grimm [EMAIL PROTECTED] wrote: Lars Hansson wrote: Why isn't it feasible to use Googles allocated netblock (216.239.32.0/19 )? Because there's nothing that says that every *.google.com site has to be within a block allocated to Google. Duh. The obvious solution is to have pf make a DNS lookup on each and every packet that arrives. Good stuff, disarm the subject with humour. /Tony
Re: pf blocking nets in a way like *.google.com ?
Falk Husemann wrote: [EMAIL PROTECTED] wrote: That doesn`t mean I can use *.google.com but I would be able to use www.google.com if I understood the FAQ and the manual correctly. Because I may not be bale to know every Hostname in a foreign network a Joker would be a neat solution. Is it maybe planed to add any joker to PF so that such stuff would be possible in the future if it isn`t already possible? Why isn't it feasible to use Googles allocated netblock (216.239.32.0/19)? It is feasible to block any numeric network block. What isn't feasible is to look at a DNS name and think that you can come up with simple PF rules that will block it. Maybe you could use a script to update a table in pf using whois and grep for the CIDR/Netrange in the reply. Maybe you could for your application. However, this is not a generic solution at all. Here's an example: at the office I work at, we used to have a firewall which claimed to block by DNS name, just as is being discussed. What it really did is exactly what you propose: periodically, it would do some DNS queries, and populate a table, and block those IP addresses. It was decided that our users should not have access to webmail from our offices, so mail.google.com was blocked, but www.google.com was ok. Here's what happened (warning: vast oversimplifications here!): A DNS query for mail.google.com returned a set of IP addresses. A small subset of the actual addresses that served mail.google.com. That's the way DNS can work: if there are five hundred machines that respond to a particular name, a single DNS query might return eight. Or one. Whatever. What this firewall didn't know is mail.google.com machines were the EXACT same machines as www.google.com. So, the results of the block was, uh..entertaining. Two people in the same department with the same network privileges would try to go to google, and one would get what the expected, the one next to them would get the This site is blocked! page. If I had thought to look for it, we'd have seen the same behavior for people trying to get to gmail -- some would be blocked, most would get through. Took a while to debug that one, as I really never figured someone would put such a clearly flawed feature in a commercial firewall product. :) (silly me, work with OpenBSD too long, you forget to think about buzzword compliance and management pressures to do something!, no matter how idiotic.) Today, many big sites use world-wide distributed front-end services like Akamai. Many of them use the SAME world-wide distributed front-end service -- so what you do by IP address (for example) to google.com might impact microsoft.com and apple.com, which is probably not what you intend. PF, can easily block every single address of every single Akamai server, but that won't necessarily do what you want. I've been a fan of DNS mangling to deal with this problem for some time. Technically, it is a horribly flawed system. Practically, it works, and works very easily. More: http://www.holland-consulting.net/tech/imblock.html Nick.
pf blocking nets in a way like *.google.com ?
Is there any way to block networks by using a joker in the hostname? Lets take as example google. Google has many different Networks and such foo. I found no way to block them all (during reading the PF manpage) using something simple like *.google.com/de/foo. Is there any way to do this because the IPSec-Framework can handle Hostnames without problems. COpyPaste from the PF-FAQ: src_addr, dst_addr The source/destination address in the IP header. Addresses can be specified as: + A single IPv4 or IPv6 address. + A CIDR network block. + A fully qualified domain name that will be resolved via DNS when the ruleset is loaded. All resulting IP addresses will be substituted into the rule. + The name of a network interface. Any IP addresses assigned to the interface will be substituted into the rule. + The name of a network interface followed by /netmask (i.e., /24). Each IP address on the interface is combined with the netmask to form a CIDR network block which is substituted into the rule. + The name of a network interface in parentheses ( ). This tells PF to update the rule if the IP address(es) on the named interface change. This is useful on an interface that gets its IP address via DHCP or dial-up as the ruleset doesn't have to be reloaded each time the address changes. + The name of a network interface followed by any one of these modifiers: o :network - substitues the CIDR network block (e.g., 192.168.0.0/ 24) o :broadcast - substitutes the network broadcast address (e.g., 192.168.0.255) o :peer - substitues the peer's IP address on a point-to-point link In addition, the :0 modifier can be appended to either an interface name or to any of the above modifiers to indicate that PF should not include aliased IP addresses in the substituion. These modifiers can also be used when the interface is contained in parentheses. Example: fxp0:network:0 + A table. + Any of the above but negated using the ! (not) modifier. + A set of addresses using a list. + The keyword any meaning all addresses + The keyword all which is short for from any to any. That doesn`t mean I can use *.google.com but I would be able to use www.google.com if I understood the FAQ and the manual correctly. Because I may not be bale to know every Hostname in a foreign network a Joker would be a neat solution. Is it maybe planed to add any joker to PF so that such stuff would be possible in the future if it isn`t already possible? Kind regards, Sebastian
Re: pf blocking nets in a way like *.google.com ?
On Fri, 2006-04-21 at 01:52:19 +0200, [EMAIL PROTECTED] proclaimed... Is there any way to block networks by using a joker in the hostname? Lets take as example google. Google has many different Networks and such foo. I found no way to block them all (during reading the PF manpage) using something simple like *.google.com/de/foo. Is there any way to do this because the IPSec-Framework can handle Hostnames without problems. If yo'ure talking HTTP/FTP traffic, try using an application proxy such as squid.
Re: pf blocking nets in a way like *.google.com ?
On Fri, 21 Apr 2006, [EMAIL PROTECTED] wrote: Is it maybe planed to add any joker to PF so that such stuff would be possible in the future if it isn`t already possible? think about why this is undesirable and practically impossible for five minutes. (hint: you are confusing DNS names and network addresses, and making incorrect assumptions about how both DNS and pf work). -d
Re: pf blocking nets in a way like *.google.com ?
On 4/21/06, Damien Miller [EMAIL PROTECTED] wrote: On Fri, 21 Apr 2006, [EMAIL PROTECTED] wrote: Is it maybe planed to add any joker to PF so that such stuff would be possible in the future if it isn`t already possible? think about why this is undesirable and practically impossible for five minutes. (hint: you are confusing DNS names and network addresses, and making incorrect assumptions about how both DNS and pf work). Well what if *.site.domain meant find all IP addresses mapped to this domain and use them for the list? I'm probably missing something, but I can't think what the problem is. -Nick
Re: pf blocking nets in a way like *.google.com ?
think about why this is undesirable and practically impossible for five minutes. (hint: you are confusing DNS names and network addresses, and making incorrect assumptions about how both DNS and pf work). Well what if *.site.domain meant find all IP addresses mapped to this domain and use them for the list? I'm probably missing something, but I can't think what the problem is. Right, and then something in that net changes, and you are blocking something else, and you then look really stupid. We won't build anything so utterly ridiculous.
Re: pf blocking nets in a way like *.google.com ?
On 4/21/06, Theo de Raadt [EMAIL PROTECTED] wrote: think about why this is undesirable and practically impossible for five minutes. (hint: you are confusing DNS names and network addresses, and making incorrect assumptions about how both DNS and pf work). Well what if *.site.domain meant find all IP addresses mapped to this domain and use them for the list? I'm probably missing something, but I can't think what the problem is. Right, and then something in that net changes, and you are blocking something else, and you then look really stupid. We won't build anything so utterly ridiculous. You're only blocking it until the next DNS update. Anyway, I'm not trying to argue the merits of doing it, just trying to understand why you couldn't.
Re: pf blocking nets in a way like *.google.com ?
On 4/21/06, Nick Guenther [EMAIL PROTECTED] wrote: You're only blocking it until the next DNS update. Anyway, I'm not trying to argue the merits of doing it, just trying to understand why you couldn't. Ah, well four replies later and I'm wiser. I assumed DNS had a way to ask for all the subdomains of a given domain since that seems like a natural sort of task for the system. Anyway, sorry for the noise, tail between the legs, etc etc.