Solved Blocking request based on IP address in X-Forwarded-For header

I have (courtesy of fail2ban + nginx) tables of IPs I would like to stop from accessing the server in any way (ssh, web, etc.).

When they try to ssh, pf blocks them like it should. When they access the webserver directly, they get blocked. But when they access via a proxy, I have no idea what to do. The firewall rules that I have block requests from IPs listed in certain tables ( block quick from <table>) and via the fail2ban anchor ( anchor "f2b/*"). I don't want to block the addresses of the proxy servers - normal innocent people use those proxies too.

I know that the IP of the original host is mentioned in a specific header (X-Forwarded-For). Is there a way I can get the firewall (pf, or any other firewall even) to check the IP in this header field against the table of banned IPs? Are the contents of packet header fields actually available at the stack level of the firewall?

Of course, the webserver (nginx) can see the origin IPs and can be also used to block the offenders, but I would prefer to solve the problem at the firewall level, if possible.
 
pf does not parse HTTP. You can't do this from pf. As far as I know IPFW or IPF also don't parse HTTP.

You'll need to convince your web server to block these requests.
 
Firewalls (PF, IPFW, IPFILTER) all work on layer 3/4, what you want to filter is on layer 7.
 
Back
Top