I am now on FreeBSD 12.0 and I am trying to make a squid transparent proxy, please see newest post
>I am on FreeBSD 11.2 amd64 with two network interfaces em0 and ath0
>If I wanted to set up routing protocol on a FreeBSD box what would you recommend doing to block access to all websites not in a specified table? I tried making a dynamic python program that would do IP lookups for DNS names but there’s to many sub IP’s that the html webpage breaks. Would you recommend making the box a DNS server and putting only specific websites that are allowed as dns requests? Or maybe a FreeBSD browser that allows only specific websites? I currently have FreeBSD as a Wireless Access Point Gateway Router and I am using a desktop computer to connect through it. Thats why originally why I wanted to use PF to stop all websites except the ones I specify specifically. I could just change to using FreeBSD as my main computer but I need some suggestions.
rc.conf
python script
initial pf3.conf before written to include IP's
Sincerely,
Ampshock
>I am on FreeBSD 11.2 amd64 with two network interfaces em0 and ath0
>If I wanted to set up routing protocol on a FreeBSD box what would you recommend doing to block access to all websites not in a specified table? I tried making a dynamic python program that would do IP lookups for DNS names but there’s to many sub IP’s that the html webpage breaks. Would you recommend making the box a DNS server and putting only specific websites that are allowed as dns requests? Or maybe a FreeBSD browser that allows only specific websites? I currently have FreeBSD as a Wireless Access Point Gateway Router and I am using a desktop computer to connect through it. Thats why originally why I wanted to use PF to stop all websites except the ones I specify specifically. I could just change to using FreeBSD as my main computer but I need some suggestions.
rc.conf
Code:
zfs_enable="YES"
clear_tmp_enable="YES"
sendmail_enable="NONE"
hostname="freebsd.router.com"
ipv6_activate_all_interfaces="YES"
moused_enable="YES"
hald_enabla="YES"
dbus_enable="YES"
ifconfig_em0="DHCP -lro -tso"
rtsold_enable="YES"
wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostapd"
ifconfig_wlan0="inet 10.191.135.1 netmask 255.255.255.0 ssid UPLAND8 mode 11g channel 1"
hostapd_enable="YES"
dhcpd_ifaces="bridge0"
dhcpd_enable="YES"
dhcpd_ifaces="bridge0"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
gateway_enable="YES"
linux_enable="YES"
powerd_enable="YES"
dumpdev="NO"
pf_enable="YES"
pf_rules="/etc/pf2.conf"
pf_program="/sbin/pfctl"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
ntpd_enable="YES"
darkstat_enable="YES"
darkstat_interface="em0"
vnstat_enable="YES"
python script
Python:
#!/usr/local/bin/python3.6
import re
import subprocess
def compare(a,b,c,d=1):
listsss = a
one = str(b)
stops = c
two = str(d)
if one == two:
stops = "final"
return (listsss,one,stops,two)
else:
return (listsss,one,stops,two)
website_filehandle = open("websites", "r")
for web in website_filehandle:
site = web.strip()
print(site)
file_up = open("pf.conf", "r")
string = file_up.readlines()
file_up.close()
output_file = open('ls2.txt','w')
subprocess.run(["drill", site], shell=False,
stdout=output_file, check=True)
output_file.close()
file_in = open("ls2.txt","r")
listss = [1,2]
for x in file_in:
y = x.strip()
if y:
m = re.search(r"^\d{1,3}[.]\d{1,3}[.]\d{1,3}[.]\d{1,3}", y)
if m:
j = m.group()
print (j)
filehandle = open('pf.conf','a')
filehandle.write("block quick on $ext_if from any to ")
filehandle.write(m.group())
filehandle.write("#")
filehandle.write(site)
filehandle.write("\n")
filehandle.close()
file_in.close()
file_in2 = open("pf.conf","r")
for x in file_in2:
y = x.strip()
if y:
m = re.search(r"^\d{1,3}[.]\d{1,3}[.]\d{1,3}[.]\d{1,3}", y)
if m:
j = m.group()
print (listss)
version2 = [listss,1,2,3]
tester = "one"
for f in listss[:-1]:
version2 = compare(listss,j,tester,f)
tester = version2[2]
#if array[2] == "1":
# print ("already")
if version2[2] != "final":
listss.append(version2[1])
print (listss)
file_in2.close()
listss.remove(1)
listss.remove(2)
filehandle5 = open('pf2.conf','w')
filehandle5.write("\n") #restart
filehandle5.close()
filehandle3 = open('pf3.conf','r')
for q in filehandle3:
v = q.strip()
filehandle4 = open('pf2.conf','a')
filehandle4.write(v)
filehandle4.write("\n")
filehandle4.close()
filehandle3.close()
filehandle2 = open('pf2.conf','a')
for s in listss:
filehandle2.write("pass inet proto $ttcp from ")
filehandle2.write(str(s))
filehandle2.write(" to any port $ports keep state #site \n")
for s in listss:
filehandle2.write("pass inet proto $ttcp from any to ")
filehandle2.write(str(s))
filehandle2.write(" port $ports keep state #site \n")
filehandle2.close()
initial pf3.conf before written to include IP's
Code:
ext_if="em0"
int_if="bridge0"
ext_if="em0"
martians= "{127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4}"
ports = "{http, https, domain, ntp, 25, 53, 80, 110, 123, 143, 443}"
ttcp = "{tcp, udp}"
#table <firewall> const { self }
set block-policy drop
set loginterface $ext_if
set skip on lo0
scrub out log on $ext_if all random-id min-ttl 15 set-tos 0x1c fragment reassemble
scrub log on $ext_if all reassemble tcp fragment reassemble
scrub in on $ext_if all fragment reassemble
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
block all
block inet proto icmp from any to any
antispoof for $ext_if inet
block in quick on $ext_if from $martians
block out quick on $ext_if from 172.217.0.0/16
#pass in on $ext_if inet proto tcp from any to ($ext_if) port 22 flags S/SAFR keep state
####pass in on $ext_if inet proto $ttcp from any to any port $ports keep state
####pass out on $ext_if inet proto $ttcp from any to any port $ports keep state
####pass in on $int_if inet proto $ttcp from any to any port $ports keep state
####pass out on $int_if inet proto $ttcp from any to any port $ports keep state
####pass in on $ext_if inet proto $ttcp from any to any port $ports keep state
####pass out on $ext_if inet proto $ttcp from any to any port $ports keep state
#block out on $ext_if from any to 151.101.0.0/16 #viemo, this one works
block quick on $ext_if from any to 208.67.222.222# youtube
Sincerely,
Ampshock
Last edited: