Rocky Hotas <rockyhotas%firemail.cc@localhost> writes: > In npf.conf(5), the group defining the rules for the LAN interface > $if_mylan of my gateway is as follows: > > group "internal" on $if_mylan { > pass in all > pass out all > > block stateful out family inet4 proto tcp from <not_nice_host> to <target_address> port 443 > } > > I would like $if_mylan to be essentially a transparent interface, for > any traffic from and to the internet, except in one case. First, you are talking about "gateway" so I am guessing you have the usual computer with two interfaces, one to your ISP with a single IPv4 address and one that is your home LAN, where is is .1, does dhcp, and is running npf. If not please explain. Normally, people set up nat from LAN to WAN, and a firewall for incoming WAN packets that blocks most things except for what they want, and usually a stateful pass out rule so that matching packets from outgoing things are allowed. I am not an npf expert yet -- still on the steep part of the learning curve -- but I think stateful rules only on syn packets and then apply to others. > A host inside the LAN, with IP <not_nice_host>, often sends data to > <target_address>, port 443, through a TCP connection. I would like to > block this stream, without affecting any other connection between the LAN > and the internet. I would like that, when the data arrives from > <not_nice_host> to $if_mylan, it is blocked. This is a normal desire, to stop "phoning home" and "exfiltration" by your adversary-controlled proprietary-software-infested IOT things :-) Steppping, back, the real goal is to stop the packet from going to the ISP and onwards to the destination. So you can block the packet inbound to if_mylan or outbound on if_mywan. But outbound on wan, you have to be careful about if NAT is applied when the rule is evaluated so you can match. Or you can just block target_address entirely. > I tried as above, adding a `block' line. But this seems not to have any > effect (at least, observing the stream for several seconds on iftop, > after having updated /etc/npf.conf and launched `npfctl reload'). I would add block in family inet4 proto tcp from <not_nice_host> to <target_address> port 443 instead. Basically you want to drop all packets on that port from <not_nice_host> to <target_address> and you don't care if the connection is open or not. Generally I find I want to use stateful rules only to allow a reverse flow, and this isn't one of those times. Another strategy, that works with ipfilter, is to have (pseudocode for example) block out log on wan from 10.0.0.IOT1 to any block out log on wan from 10.0.0.IOT1 to <unwanted-known-place> pass out on wan from 10.0.0.IOT1 to [exactly what I want to allow] With ipf, the rule is evaluated before nat. But block-all pass-some vs block-some is a somewhat separate issue from your current problem. However, for block-all pass-some, you need to do it outbound, because you might want these devices to be able to do DNS or NTP to your router box, even if you don't want them to communicate externally in general. (I'm not saying with npf the rule isn't evaluted in the same order -- just that I am not clear on that yet.)
Attachment:
signature.asc
Description: PGP signature