SEO
vBulletin Search Engine Optimization
| |||||||
![[PF] HTTPS whitelisting by domain name](http://unixadmintalk.com/iconimages/f17/pf-https-whitelisting-domain-name_ltr.gif)
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-16-2008, 08:11 AM
| ||||
| ||||
 [PF] HTTPS whitelisting by domain name Folks, I've been using PF to manage a HTTPS whitelist, but am running into problems. Using the rule below it works well with most things. However, the login.live.com (used for Hotmail) results in timeouts. When I restart PF its fine, which leads me to believe that the lookup is done when the rules load. pass out log on $ext_if proto tcp from $ext_if to { www.snort.org, login.live.com, ...and so on } port 443 keep state My question is: is there an elegant and robust way to perform whitelisting with PF? regards, Andrew      |
|
02-16-2008, 08:11 AM
| |||
| |||
| Re: [PF] HTTPS whitelisting by domain name On Wed, 02 Jan 2008 17:38:49 +1100, PBW wrote: > I've been using PF to manage a HTTPS whitelist, but am running into > problems. Using the rule below it works well with most things. However, > the login.live.com (used for Hotmail) results in timeouts. When I > restart PF its fine, which leads me to believe that the lookup is done > when the rules load. Yes, PF only deals with numerical IP addresses. When you use symbolic host names in pf.conf, that's just syntactic sugar which pfctl resolves once on ruleset load time. > pass out log on $ext_if proto tcp from $ext_if to { www.snort.org, > login.live.com, ...and so on } port 443 keep state > > My question is: is there an elegant and robust way to perform > whitelisting with PF? If you think it would be elegant if PF would do DNS lookups at run-time from kernel or could do layer 7 inspection, I would disagree  IP-based filtering is not perfect for this case, as a host name can resolve to a dynamic list of IP addresses over time. You can reload the ruleset to trigger re-resolution regularly, but there's no guarantee that a name server will return the same (or even a similar) set of addresses for two subsequent lookups. Furthermore, you're matching too broadly. Two completely unrelated services could be hosted on the same IP address (like www.snort.org and www.pr0n.com could reside on the same IP address). You'd either block too much or too little. You might find that a layer 7 proxy like squid[1] is much more appropriate for the task. You can use it in transparent mode with PF redirecting clients to it without their cooperation. Daniel [1] http://www.squid-cache.org/ |
|
02-16-2008, 08:11 AM
| ||||
| ||||
| Re: [PF] HTTPS whitelisting by domain name Daniel Hartmeier wrote: > On Wed, 02 Jan 2008 17:38:49 +1100, PBW wrote: > > > You might find that a layer 7 proxy like squid[1] is much more > appropriate for the task. You can use it in transparent mode > with PF redirecting clients to it without their cooperation. > > Daniel > > [1] http://www.squid-cache.org/ Thanks for taking the time to respond Daniel. I agree that PF may not be the appropriate tool, but I'm looking for an administratively low cost solution. I didn't want to use squid, but it looks like I have little choice. That is unless there is some way to instruct the Hotmail server to use a specific login.live.com server. Wishful thinking. regards, Andrew |
Linear Mode
