Rocky Hotas <rockyhotas%firemail.cc@localhost> writes:
> In npf.conf(5), the group defining the rules for the LAN interface
> $if_mylan of my gateway is as follows:
>
> group "internal" on $if_mylan {
> pass in all
> pass out all
>
> block stateful out family inet4 proto tcp from <not_nice_host> to <target_address> port 443
> }
>
> I would like $if_mylan to be essentially a transparent interface, for
> any traffic from and to the internet, except in one case.
First, you are talking about "gateway" so I am guessing you have the
usual computer with two interfaces, one to your ISP with a single IPv4
address and one that is your home LAN, where is is .1, does dhcp, and is
running npf. If not please explain.
Normally, people set up nat from LAN to WAN, and a firewall for incoming
WAN packets that blocks most things except for what they want, and
usually a stateful pass out rule so that matching packets from outgoing
things are allowed.
I am not an npf expert yet -- still on the steep part of the learning
curve -- but I think stateful rules only on syn packets and then apply
to others.
> A host inside the LAN, with IP <not_nice_host>, often sends data to
> <target_address>, port 443, through a TCP connection. I would like to
> block this stream, without affecting any other connection between the LAN
> and the internet. I would like that, when the data arrives from
> <not_nice_host> to $if_mylan, it is blocked.
This is a normal desire, to stop "phoning home" and "exfiltration" by
your adversary-controlled proprietary-software-infested IOT things :-)
Steppping, back, the real goal is to stop the packet from going to the
ISP and onwards to the destination. So you can block the packet
inbound to if_mylan or outbound on if_mywan. But outbound on wan, you
have to be careful about if NAT is applied when the rule is evaluated so
you can match. Or you can just block target_address entirely.
> I tried as above, adding a `block' line. But this seems not to have any
> effect (at least, observing the stream for several seconds on iftop,
> after having updated /etc/npf.conf and launched `npfctl reload').
I would add
block in family inet4 proto tcp from <not_nice_host> to <target_address> port 443
instead. Basically you want to drop all packets on that port from
<not_nice_host> to <target_address> and you don't care if the connection
is open or not.
Generally I find I want to use stateful rules only to allow a reverse flow,
and this isn't one of those times.
Another strategy, that works with ipfilter, is to have (pseudocode for example)
block out log on wan from 10.0.0.IOT1 to any
block out log on wan from 10.0.0.IOT1 to <unwanted-known-place>
pass out on wan from 10.0.0.IOT1 to [exactly what I want to allow]
With ipf, the rule is evaluated before nat. But block-all pass-some vs
block-some is a somewhat separate issue from your current problem.
However, for block-all pass-some, you need to do it outbound, because
you might want these devices to be able to do DNS or NTP to your router
box, even if you don't want them to communicate externally in general.
(I'm not saying with npf the rule isn't evaluted in the same order --
just that I am not clear on that yet.)
Attachment:
signature.asc
Description: PGP signature