[TriLUG] OT - limiting access to destination ports

jason tower jtower at cerient.net
Thu Apr 24 13:21:18 EDT 2008 

oh, and be aware that if those rules work you may lock out ssh access 
from your host

Christopher L Merrill wrote:
> So I've read some PF docs and looked at our existing pf.conf file.
> 
> After these lines:
>  > block in
>  > pass out keep state
> 
> if I add these lines (where $int_if is the internal firewall interface
> and my machine is 192.168.1.220):
> 
>  > pass out quick on $int_if proto tcp from 192.168.1.220 to any port 80
>  > pass out quick on $int_if proto tcp from 192.168.1.220 to any port 443
>  > pass out quick on $int_if proto tcp from 192.168.1.220 to any port 53
>  > block out quick on $int_if proto tcp from 192.168.1.220 to any
> 
> will this accomplish my goal of limiting anything on my machine (including
> flash and my browser) to only connect on ports 80/443 on the various
> web servers I visit (and allow 53 for DNS resolution)?
> 
> TIA!
> Chris
> 
> 
> Robert Dale wrote:
>> I don't know _how_ to do this on _BSD_ - linux, yes ;) - but
>> conceptually, you create some outgoing rules like
>>
>> allow 80
>> allow 443
>> deny all
>>
>> On Wed, Apr 23, 2008 at 4:22 PM, Christopher L Merrill
>> <chris at webperformance.com> wrote:
>>> I want to block the Flash player in IE (on XP) from connecting to anything
>>>  other than ports 80 and 443 on the destination servers.  Note this is for
>>>  testing some specific stuff - the goal is to force flash to use these ports
>>>  instead of other ports for streaming video.  I haven't found a way for
>>>  Windows Firewall to do this. I've tried TCP/IP port-filtering - but haven't
>>>  found the magic combination that blocks the videos but allows the browser
>>>  to operate.
>>>
>>>  At my disposal, we have a BSD firewall in the office that all our machines
>>>  are sitting behind.  In addition, I have a Linux machine that is configured
>>>  with Apache and mod_proxy.  At home, I'm behind a Linsys WRT54 (stock firmware).
>>>
>>>  Note that this need only be a temporary solution - something I can turn
>>>  on for a few minutes for testing and then turn off - so preventing
>>>  _anything_ on our network from connection to anything besides ports
>>>  80 and 443 would be acceptable as long as the browser is still functional
>>>  (I guess that implies DNS queries would need to get through as well?)
>>>  I think I can determine which destination IPs I want to block, so
>>>  a solution that is limited to a few IPs would work, too.  If the solution
>>>  was only functional for a specific source IP address, that would work, too.
>>>
>>>  Any suggestions how I might accomplish my goal (in 2 hours or less)?
>>>
>>>
>>>
>>>
>>>  --
>>>  ------------------------------------------------------------------------ -
>>>  Chris Merrill                           |  Web Performance, Inc.
>>>  chris at webperformance.com                |  http://webperformance.com
>>>  919-433-1762                            |  919-845-7601
>>>
>>>  Website Load Testing and Stress Testing Software & Services
>>>  ------------------------------------------------------------------------ -
>>>  --
>>>  TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
>>>  TriLUG Organizational FAQ  : http://trilug.org/faq/
>>>  TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>>
> 
>

More information about the TriLUG mailing list