[PF] HTTPS whitelisting by domain name - BSD

This is a discussion on [PF] HTTPS whitelisting by domain name - BSD ; Folks, I've been using PF to manage a HTTPS whitelist, but am running into problems. Using the rule below it works well with most things. However, the login.live.com (used for Hotmail) results in timeouts. When I restart PF its fine, ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: [PF] HTTPS whitelisting by domain name

  1. [PF] HTTPS whitelisting by domain name

    Folks,
    I've been using PF to manage a HTTPS whitelist, but am running into
    problems. Using the rule below it works well with most things. However,
    the login.live.com (used for Hotmail) results in timeouts. When I
    restart PF its fine, which leads me to believe that the lookup is done
    when the rules load.

    pass out log on $ext_if proto tcp from $ext_if to { www.snort.org,
    login.live.com, ...and so on } port 443 keep state

    My question is: is there an elegant and robust way to perform
    whitelisting with PF?

    regards,
    Andrew

  2. Re: [PF] HTTPS whitelisting by domain name

    On Wed, 02 Jan 2008 17:38:49 +1100, PBW wrote:

    > I've been using PF to manage a HTTPS whitelist, but am running into
    > problems. Using the rule below it works well with most things. However,
    > the login.live.com (used for Hotmail) results in timeouts. When I
    > restart PF its fine, which leads me to believe that the lookup is done
    > when the rules load.


    Yes, PF only deals with numerical IP addresses. When you use symbolic
    host names in pf.conf, that's just syntactic sugar which pfctl
    resolves once on ruleset load time.

    > pass out log on $ext_if proto tcp from $ext_if to { www.snort.org,
    > login.live.com, ...and so on } port 443 keep state
    >
    > My question is: is there an elegant and robust way to perform
    > whitelisting with PF?


    If you think it would be elegant if PF would do DNS lookups
    at run-time from kernel or could do layer 7 inspection, I would
    disagree

    IP-based filtering is not perfect for this case, as a host name
    can resolve to a dynamic list of IP addresses over time. You can
    reload the ruleset to trigger re-resolution regularly, but there's
    no guarantee that a name server will return the same (or even a
    similar) set of addresses for two subsequent lookups.

    Furthermore, you're matching too broadly. Two completely unrelated
    services could be hosted on the same IP address (like www.snort.org
    and www.pr0n.com could reside on the same IP address). You'd either
    block too much or too little.

    You might find that a layer 7 proxy like squid[1] is much more
    appropriate for the task. You can use it in transparent mode
    with PF redirecting clients to it without their cooperation.

    Daniel

    [1] http://www.squid-cache.org/

  3. Re: [PF] HTTPS whitelisting by domain name

    Daniel Hartmeier wrote:
    > On Wed, 02 Jan 2008 17:38:49 +1100, PBW wrote:
    >
    >
    > You might find that a layer 7 proxy like squid[1] is much more
    > appropriate for the task. You can use it in transparent mode
    > with PF redirecting clients to it without their cooperation.
    >
    > Daniel
    >
    > [1] http://www.squid-cache.org/


    Thanks for taking the time to respond Daniel. I agree that PF may not be
    the appropriate tool, but I'm looking for an administratively low cost
    solution. I didn't want to use squid, but it looks like I have little
    choice.

    That is unless there is some way to instruct the Hotmail server to use a
    specific login.live.com server. Wishful thinking.

    regards,
    Andrew

+ Reply to Thread