PF how to read and process tcp headers?

wolffnx

Well-Known Member

Reaction score: 103
Messages: 445

How to read an take a action based on one tcp header, like a string.
Is this posible with PF?
 

VladiBG

Aspiring Daemon

Reaction score: 353
Messages: 828

How to read an take a action based on one tcp header, like a string.
Is this posible with PF?

 
OP
wolffnx

wolffnx

Well-Known Member

Reaction score: 103
Messages: 445

thanks for the response, but I dont see when I can read a TCP header and take a action in PF
 

Eric A. Borisch

Aspiring Daemon

Reaction score: 302
Messages: 514

A more throrugh description of what you want to do would be helpful here.

The source port, destination port, and flags portions of the TCP header are all directly supported by pf filtering rules.
 
OP
wolffnx

wolffnx

Well-Known Member

Reaction score: 103
Messages: 445

A more throrugh description of what you want to do would be helpful here.

The source port, destination port, and flags portions of the TCP header are all directly supported by pf filtering rules.
something close to a layer7 filtering
 

Eric A. Borisch

Aspiring Daemon

Reaction score: 302
Messages: 514

If you give us a little bit more detail, we might be able to point you to some solutions that exist outside of pf.
 

Jose

Well-Known Member

Reaction score: 227
Messages: 383

Though TCP/IP doesn't really match the OSI 7-layer model, TCP is commonly mapped into layers 4 and/or 5.

You're asking about filtering based on layer 7 TCP headers. Your question is not internally consistent, and therefore has no reasonable answer.

I'm guessing that what you want to do is filter basing on the contents of HTTP (layer 7 protocol) headers (which are strings.)

Pf does not work at the HTTP level. You're going to need an HTTP filtering proxy like https://www.privoxy.org/.
 
OP
wolffnx

wolffnx

Well-Known Member

Reaction score: 103
Messages: 445

Though TCP/IP doesn't really match the OSI 7-layer model, TCP is commonly mapped into layers 4 and/or 5.

You're asking about filtering based on layer 7 TCP headers. Your question is not internally consistent, and therefore has no reasonable answer.

I'm guessing that what you want to do is filter basing on the contents of HTTP (layer 7 protocol) headers (which are strings.)

Pf does not work at the HTTP level. You're going to need an HTTP filtering proxy like https://www.privoxy.org/.
That was my second option,thanks
 
OP
wolffnx

wolffnx

Well-Known Member

Reaction score: 103
Messages: 445

If you give us a little bit more detail, we might be able to point you to some solutions that exist outside of pf.
Process packages looking for strings,like mallware,etc
at start in 443 port but I want process all ports
 

Jose

Well-Known Member

Reaction score: 227
Messages: 383

Process packages looking for strings,like mallware,etc
at start in 443 port but I want process all ports
Not all protocols have strings that you can interpret. You're definitely not going to have any luck on port 443 if it's used in the normal way for HTTPS. That protocol is encrypted so all you're going to get is a stream of seemingly random bytes. Again, you'll need a proxy that decrypts the protocol into HTTP before you can inspect any strings to filter. You'll have to install a custom certificate authority in all the clients behind your proxy in order for this to work. See this, for example

Many protocols are binary even if they're not encrypted. For example, you might want to filter christmas tree or martian packets. Look into scrub and antispoof in the pf.conf(5) manual page.

I suggest that you pick a few ports you'll allow through your firewall, set up filtering for them, and block all others. Trying to analyze traffic on every port is not a good approach.
 
Top