SEO

Hi,

I'm having no luck at all in creating a shitlist of websites I want to block
children's access to. I've created a macro containing the 'offending' IPs
and written what I thought was a reasonable rule to bin the replies.

Ideally I'd like it to work in such away that if one of the listed sites
were to be accessed they would be redirected to an internal web page
explaining why they can't get access. But I can work on that once I get the
blocking to work. (But any pointers would be appreciated :-).)

However, even after pfctl -F all -f /etc/pf.conf

I can still access the site. It's obvious that I'm an OpenBSD novice but
this really is getting to me can anyone please point me in the right
direction? Below is the pf.conf as it currently stands (based on the
example from the OpenBSD.org site.

# marcos
int_if = "le1"
ext_if = "le0"

tcp_services = "{22}" # TODO: Add rdir to server

shitlist = "{ xxx.xxx.xxx.xxx, xx.xxx.xxx.xxx }" # Real IPs removed!
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

set block-policy return
set loginterface $ext_if

scrub in all

# Nat / ReDir
nat on $ext_if from $int_if:network to any -> ($ext_if)

# Filters

block all

# Local Interface
pass quick on lo0 all

# Enable AntiSpoof on Internal IF
antispoof quick for $int_if

# RFC1918 Addresses
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

# This is the line that does not work!
block out on $ext_if from any to $shitlist

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

# End of File

--
Thanks

William.

William wrote:

> Hi,
>
> I'm having no luck at all in creating a shitlist of websites I want to
> block children's access to. I've created a macro containing the
> 'offending' IPs and written what I thought was a reasonable rule to
> bin the replies.
>
> Ideally I'd like it to work in such away that if one of the listed
> sites were to be accessed they would be redirected to an internal web
> page explaining why they can't get access. But I can work on that once
> I get the blocking to work. (But any pointers would be appreciated
> :-).)
>
> However, even after pfctl -F all -f /etc/pf.conf
>
> I can still access the site. It's obvious that I'm an OpenBSD novice
> but this really is getting to me can anyone please point me in the
> right direction? Below is the pf.conf as it currently stands (based on
> the example from the OpenBSD.org site.
>
> # marcos
> int_if = "le1"
> ext_if = "le0"
>
> tcp_services = "{22}" # TODO: Add rdir to server
>
> shitlist = "{ xxx.xxx.xxx.xxx, xx.xxx.xxx.xxx }" # Real IPs removed!
> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
> }"
>
> set block-policy return
> set loginterface $ext_if
>
> scrub in all
>
> # Nat / ReDir
> nat on $ext_if from $int_if:network to any -> ($ext_if)
>
> # Filters
>
> block all
>
> # Local Interface
> pass quick on lo0 all
>
> # Enable AntiSpoof on Internal IF
> antispoof quick for $int_if
>
> # RFC1918 Addresses
> block drop in quick on $ext_if from $priv_nets to any
> block drop out quick on $ext_if from any to $priv_nets
>
> # This is the line that does not work!
> block out on $ext_if from any to $shitlist

Ok, you block, but you do *not* stop evaluation

>
> pass in on $int_if from $int_if:network to any keep state
> pass out on $int_if from any to $int_if:network keep state
>
> pass out on $ext_if proto tcp all modulate state flags S/SA

And there you have it. You let everything out. Last rule wins _unless_
you use the quick key word.

> pass out on $ext_if proto { udp, icmp } all keep state
>
> # End of File

HTH,

EJ
--
Remove the obvious part (including the dot) for my email address.
http://www.vanwesten.net for examples of ipf and pf.

William wrote:

Hi,

I've now got it working using :

block drop out quick log on $ext_if from any to $shitlist

But my initial attempts when using quick were negated since one of the sites
had 8 IP assigned to it!

--
Thanks

William.

On Sun, 21 Dec 2003 16:31:30 GMT, William <william_@_work.co.uk>
wrote:

>Hi,
>
>I'm having no luck at all in creating a shitlist of websites I want to block
>children's access to. I've created a macro containing the 'offending' IPs
>and written what I thought was a reasonable rule to bin the replies.
>
>Ideally I'd like it to work in such away that if one of the listed sites
>were to be accessed they would be redirected to an internal web page
>explaining why they can't get access. But I can work on that once I get the
>blocking to work. (But any pointers would be appreciated :-).)
>
>However, even after pfctl -F all -f /etc/pf.conf
>
>I can still access the site. It's obvious that I'm an OpenBSD novice but
>this really is getting to me can anyone please point me in the right
>direction? Below is the pf.conf as it currently stands (based on the
>example from the OpenBSD.org site.
>
># marcos
>int_if = "le1"
>ext_if = "le0"
>
>tcp_services = "{22}" # TODO: Add rdir to server
>
>shitlist = "{ xxx.xxx.xxx.xxx, xx.xxx.xxx.xxx }" # Real IPs removed!
>priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
>
>set block-policy return
>set loginterface $ext_if
>
>scrub in all
>
># Nat / ReDir
>nat on $ext_if from $int_if:network to any -> ($ext_if)
>
># Filters
>
>block all
>
># Local Interface
>pass quick on lo0 all
>
># Enable AntiSpoof on Internal IF
>antispoof quick for $int_if
>
># RFC1918 Addresses
>block drop in quick on $ext_if from $priv_nets to any
>block drop out quick on $ext_if from any to $priv_nets
>
># This is the line that does not work!
>block out on $ext_if from any to $shitlist
>
>pass in on $int_if from $int_if:network to any keep state
>pass out on $int_if from any to $int_if:network keep state

>pass out on $ext_if proto tcp all modulate state flags S/SA

The above line is the reason the shitlist line does not do anything.
As this rule is checked *after* the shitlist line ALL tcp traffic is
allowed out.

To remedy, simply add the 'quick' keyword to the shitlist rule:

block out quick on $ext_if from any to $shitlist

To keep tabs on how, *cough*, often this rule is matched you may
consider using the logging feature.

>pass out on $ext_if proto { udp, icmp } all keep state
>
># End of File

William wrote:

> William wrote:
>
> Hi,
>
> I've now got it working using :
>
> block drop out quick log on $ext_if from any to $shitlist
>
> But my initial attempts when using quick were negated since one of the
> sites had 8 IP assigned to it!
>

It is not a good and viable solution. There are many many many more
sites than you will ever be able to block. Just use google.

EJ
--
Remove the obvious part (including the dot) for my email address.
http://www.vanwesten.net for examples of ipf and pf.

William wrote:

> William wrote:
>
> Hi,
>
> I've now got it working using :
>
> block drop out quick log on $ext_if from any to $shitlist
>
> But my initial attempts when using quick were negated since one of the
> sites had 8 IP assigned to it!
>

Which is why you'd probably do better using squid and squidguard.

On Sun, 21 Dec 2003 17:58:51 +0000, Keith Matthews
<invalid@frequentous.co.uk> reported to us:


>>
>
>Which is why you'd probably do better using squid and squidguard.


Squid has a "transparent" flavor. that allows you to redirect
everything heading for port 80 to squid. The kids won't need to put
any proxy settings in the web browser. It won't redirect https and
ftp, but you can still nat those. You can also use sarg to get an
idea of where the kid's have been, if you want to update your black
list.

HTH,

Wally

"No one has ever had an idea in a dress suit."
Sir Frederick G. Banting

Hi All,

Thanks for the replies and it looks like that Squid is the way to go. So
I'll read the docs and see what it can do for me.

Thanks again for the help.

--
Regards,

William.