PF how to read and process tcp headers?

thanks for the response, but I dont see when I can read a TCP header and take a action in PF
 
A more throrugh description of what you want to do would be helpful here.

The source port, destination port, and flags portions of the TCP header are all directly supported by pf filtering rules.
 
Though TCP/IP doesn't really match the OSI 7-layer model, TCP is commonly mapped into layers 4 and/or 5.

You're asking about filtering based on layer 7 TCP headers. Your question is not internally consistent, and therefore has no reasonable answer.

I'm guessing that what you want to do is filter basing on the contents of HTTP (layer 7 protocol) headers (which are strings.)

Pf does not work at the HTTP level. You're going to need an HTTP filtering proxy like https://www.privoxy.org/.
 
Though TCP/IP doesn't really match the OSI 7-layer model, TCP is commonly mapped into layers 4 and/or 5.

You're asking about filtering based on layer 7 TCP headers. Your question is not internally consistent, and therefore has no reasonable answer.

I'm guessing that what you want to do is filter basing on the contents of HTTP (layer 7 protocol) headers (which are strings.)

Pf does not work at the HTTP level. You're going to need an HTTP filtering proxy like https://www.privoxy.org/.

That was my second option,thanks
 
Process packages looking for strings,like mallware,etc
at start in 443 port but I want process all ports
Not all protocols have strings that you can interpret. You're definitely not going to have any luck on port 443 if it's used in the normal way for HTTPS. That protocol is encrypted so all you're going to get is a stream of seemingly random bytes. Again, you'll need a proxy that decrypts the protocol into HTTP before you can inspect any strings to filter. You'll have to install a custom certificate authority in all the clients behind your proxy in order for this to work. See this, for example

Many protocols are binary even if they're not encrypted. For example, you might want to filter christmas tree or martian packets. Look into scrub and antispoof in the pf.conf(5) manual page.

I suggest that you pick a few ports you'll allow through your firewall, set up filtering for them, and block all others. Trying to analyze traffic on every port is not a good approach.
 
Back
Top