Solved Routing protocol - limited site lookup

ampshock

New Member

Reaction score: 4
Messages: 13

I am now on FreeBSD 12.0 and I am trying to make a squid transparent proxy, please see newest post

>I am on FreeBSD 11.2 amd64 with two network interfaces em0 and ath0

>If I wanted to set up routing protocol on a FreeBSD box what would you recommend doing to block access to all websites not in a specified table? I tried making a dynamic python program that would do IP lookups for DNS names but there’s to many sub IP’s that the html webpage breaks. Would you recommend making the box a DNS server and putting only specific websites that are allowed as dns requests? Or maybe a FreeBSD browser that allows only specific websites? I currently have FreeBSD as a Wireless Access Point Gateway Router and I am using a desktop computer to connect through it. Thats why originally why I wanted to use PF to stop all websites except the ones I specify specifically. I could just change to using FreeBSD as my main computer but I need some suggestions.

rc.conf
Code:
zfs_enable="YES"
clear_tmp_enable="YES"

sendmail_enable="NONE"

hostname="freebsd.router.com"
ipv6_activate_all_interfaces="YES"
moused_enable="YES"
hald_enabla="YES"
dbus_enable="YES"
ifconfig_em0="DHCP -lro -tso"

rtsold_enable="YES"
wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostapd"
ifconfig_wlan0="inet 10.191.135.1 netmask 255.255.255.0 ssid UPLAND8 mode 11g channel 1"
hostapd_enable="YES"

dhcpd_ifaces="bridge0"

dhcpd_enable="YES"

dhcpd_ifaces="bridge0"
dhcpd_conf="/usr/local/etc/dhcpd.conf"

gateway_enable="YES"

linux_enable="YES"

powerd_enable="YES"

dumpdev="NO"
pf_enable="YES"
pf_rules="/etc/pf2.conf"
pf_program="/sbin/pfctl"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
ntpd_enable="YES"

darkstat_enable="YES"
darkstat_interface="em0"
vnstat_enable="YES"
python script
Python:
#!/usr/local/bin/python3.6
import re
import subprocess
def compare(a,b,c,d=1):
     listsss = a
     one = str(b)
     stops = c
     two = str(d)
     if one == two:
        stops = "final"
        return (listsss,one,stops,two)
     else:
        return (listsss,one,stops,two)
website_filehandle = open("websites", "r")
for web in website_filehandle:
    site = web.strip()
    print(site)
    file_up = open("pf.conf", "r")
    string = file_up.readlines()
    file_up.close()
    output_file = open('ls2.txt','w')
    subprocess.run(["drill", site], shell=False,
    stdout=output_file, check=True)
    output_file.close()
    file_in = open("ls2.txt","r")
    listss = [1,2]
    for x in file_in:
        y = x.strip()
        if y:
           m = re.search(r"^\d{1,3}[.]\d{1,3}[.]\d{1,3}[.]\d{1,3}", y)
           if m:
               j = m.group()
               print (j)
               filehandle = open('pf.conf','a')
               filehandle.write("block quick on $ext_if from any to ")
               filehandle.write(m.group())
               filehandle.write("#")
               filehandle.write(site)
               filehandle.write("\n")
               filehandle.close()
    file_in.close()
    file_in2 = open("pf.conf","r")
    for x in file_in2:
        y = x.strip()
        if y:
            m = re.search(r"^\d{1,3}[.]\d{1,3}[.]\d{1,3}[.]\d{1,3}", y)
            if m:
                j = m.group()
                print (listss)
                version2 = [listss,1,2,3]
                tester = "one"
                for f in listss[:-1]:
                    version2 = compare(listss,j,tester,f)
                    tester = version2[2]
                    #if array[2] == "1":
                    #   print ("already")
                if version2[2] != "final":
                    listss.append(version2[1])
                print (listss)
    file_in2.close()
    listss.remove(1)
    listss.remove(2)
    filehandle5 = open('pf2.conf','w')
    filehandle5.write("\n") #restart
    filehandle5.close()
    filehandle3 = open('pf3.conf','r')
    for q in filehandle3:
        v = q.strip()
        filehandle4 = open('pf2.conf','a')
        filehandle4.write(v)
        filehandle4.write("\n")
        filehandle4.close()
    filehandle3.close()
    filehandle2 = open('pf2.conf','a')
    for s in listss:
        filehandle2.write("pass inet proto $ttcp from ")
        filehandle2.write(str(s))
        filehandle2.write(" to any port $ports keep state #site \n")
    for s in listss:
        filehandle2.write("pass inet proto $ttcp from any to ")
        filehandle2.write(str(s))
        filehandle2.write(" port $ports keep state #site \n")
    filehandle2.close()
initial pf3.conf before written to include IP's
Code:
ext_if="em0"
int_if="bridge0"
ext_if="em0"
martians= "{127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4}"
ports = "{http, https, domain, ntp, 25, 53, 80, 110, 123, 143, 443}"

ttcp = "{tcp, udp}"
#table <firewall> const { self }
set block-policy drop
set loginterface $ext_if
set skip on lo0

scrub out log on $ext_if all random-id min-ttl 15 set-tos 0x1c fragment reassemble
scrub log on $ext_if all reassemble tcp fragment reassemble

scrub in on $ext_if all fragment reassemble

nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)

block all
block inet proto icmp from any to any
antispoof for $ext_if inet
block in quick on $ext_if from $martians
block out quick on $ext_if from 172.217.0.0/16

#pass in on $ext_if inet proto tcp from any to ($ext_if) port 22 flags S/SAFR keep state


####pass in on $ext_if inet proto $ttcp from any to any port $ports keep state
####pass out on $ext_if inet proto $ttcp from any to any port $ports keep state
####pass in on $int_if inet proto $ttcp from any to any port $ports keep state
####pass out on $int_if inet proto $ttcp from any to any port $ports keep state
####pass in on $ext_if inet proto $ttcp from any to any port $ports keep state
####pass out on $ext_if inet proto $ttcp from any to any port $ports keep state
#block out on $ext_if from any to 151.101.0.0/16 #viemo, this one works
block quick on $ext_if from any to 208.67.222.222# youtube
Sincerely,
Ampshock
 
Last edited:

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,681
Messages: 30,611

If I wanted to set up routing protocol on a FreeBSD box what would you recommend doing to block access to all websites not in a specified table?
I would suggest setting up a proxy server and forcing everyone through that. On most proxy servers (www/squid is a nice one) you can easily set up whitelists and/or blacklists based on (partial) URLs.

I tried making a dynamic python program that would do IP lookups for DNS names but there’s to many sub IP’s that the html webpage breaks.
As you already found out, doing it this way is pretty much an exercise in futility.
 
OP
OP
ampshock

ampshock

New Member

Reaction score: 4
Messages: 13

Could I run a spider bot or Firefox as a background application and just grab all the IP’s from TCPdump? I’m think PF is still the way I want to go as a MacOsx uses a bunch of applications that I could download from the App Store and those may not connect through the DNS squid but may bypass it to say YouTub*

How would I just Firefox as a background app without Xorg
So I can just get the IP’s to like biblehub.com
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,681
Messages: 30,611

Could I run a spider bot or Firefox as a background application and just grab all the IP’s from TCPdump? I’m think PF is still the way I want to go as a MacOsx uses a bunch of applications that I could download from the App Store and those may not connect through the DNS squid but may bypass it to say YouTub*
That's why you block all outgoing access and force everyone through the proxy. In most corporate environments nobody has direct access to the internet.
 

jpierri

Member

Reaction score: 22
Messages: 57

That's why you block all outgoing access and force everyone through the proxy. In most corporate environments nobody has direct access to the internet.
This measure may look draconian but it already saved us from a lot of headaches here.
 

VladiBG

Aspiring Daemon

Reaction score: 243
Messages: 602

It's easier to setup a content filtering proxy. In the past i was using transparent proxy sqiud+dansgardian to filter web sites based on keywords plus some blacklisted sites. You can check www/e2guardian
 
OP
OP
ampshock

ampshock

New Member

Reaction score: 4
Messages: 13

Could i set up a T*r network proxy for anynonimity? Or is squid the best option to learn about?
 

VladiBG

Aspiring Daemon

Reaction score: 243
Messages: 602

To be able to filter the traffic based on the web page content you need to analyze the traffic at layer 7 where the transparent proxy comes handy.
 

jiml8

Member

Reaction score: 3
Messages: 31

Why not just use pf to block everything, then put your whitelist in a pf table? You can place the hostname in the table, and the resolver will replace that with every IPv4 and IPv6 address that resolves to that hostname.

The problem with using a transparent proxy or any content filtering proxy is that the vast majority of internet traffic today is encrypted. Most of the time, all you have is IP address or port info to use in your filtering.
 

VladiBG

Aspiring Daemon

Reaction score: 243
Messages: 602

You can still filtering the encrypted https traffic with SSL man in the middle interception.
In managed network (corporate network) you need to deploy your own root CA on the clients so the clients trust your server. Then when the client send a request over https you intercept that request and install a spoof certificate then return it back to the client then the proxy is sending a new request to the https server that way you decrypt and encrypt back the traffic from and to the client and will be able to filter the site content.
 
OP
OP
ampshock

ampshock

New Member

Reaction score: 4
Messages: 13

Why not just use pf to block everything, then put your whitelist in a pf table? You can place the hostname in the table, and the resolver will replace that with every IPv4 and IPv6 address that resolves to that hostname.
I think I would like to try this approach first Before installing and learning a port. I am stuggling on trying to get PF or a table to resolve a hostname. I don’t know if I need to have some connection to the host file in /etc or if I just need the code
I tried go*gling too.

pfctl -t TRUSTED -T add FreeBSD.org
Does not work : invalid argument
Pf.conf
table <TRUSTED> persist file “/var/trusted.pftable”


Does not seem to work when I put a hostname in that var location either
 

kpa

Beastie's Twin

Reaction score: 1,807
Messages: 6,318

PF needs IP addresses in those tables so you have to resolve those FQDNs first to IP addresses. You can write a script that is run periodically via cron(8) and updates the table if there are changes. Even better if you can pay attention to the TTL values of the A records you're solving.
 
OP
OP
ampshock

ampshock

New Member

Reaction score: 4
Messages: 13

I was trying to use the lsof port to see if was squid was even listening. do I need to specify what IP address squid is configured to with http_port * 3130 intercept?

OK so i was able to set up a freebsd hostapd with dhcpd
I have an em0 interface is on freebsd and its wired to the gateway router while wlan0 is the wifi interface on the freebsd. I have Squid installed and and PF.conf trying to forward and NAT on the freebsd box I tried fallowing the Squid-cache tutorial for setting up freebsd pf redirect but had no luck. I tried configuring squid and pf to just have the freebsd box running through squid as a first step but no luck.
Code:
                                                                               +-------------+
                                                                               |PACKET       |
                                                                               |S:192.168.1.5|
                             +----------+    FREEBSD ROUTER: 192.168.1.5       |D:72.1.1.2   | +ROUTER2:192.168.1.1+
                             |PACKET    |   +--------------------------------+---------------->|                   |--->INTERNET
                             |S:10.x.x.x|   | NAT plus Squid Proxy Server    |<----------------|                   |
+----------+ REQ 72.1.1.2:80 |D:72.1.1.2|   | S:10.x.x.x -->   10.x.x.x      | |PACKET       | +-------------------+
| CLIENT   |------------------------------->| D:72.1.1.2 rdr-->10.x.x.x:3130 | |S:192.168.1.1|
| 10.x.x.x |                                 +-------------------------------+ |D:192.168.1.5|
|          |<---------------------------+---| S:72.1.1.2 <-- 192.168.1.1     | +-------------+
+----------+                 |PACKET    |   | D:10.x.x.x <-- 192.168.1.5     |
                             |S:72.1.1.2|   +--------------------------------+
                             |D:10.x.x.x|
                             +----------+
pf2.conf
Code:
#-----------------------VARS------------#
ext_if="em0"
int_if="wlan0"

martians= "{127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4}"
ports = "{http, ftp, ssh, sftp, https, domain, ntp, 25, 53, 80, 110, 123, 143, 443, 3128}"

ttcp = "{tcp, udp}"
#table <firewall> const { self }
#table <TRUSTED> counters { ftp.freebsd.org }
#-----------------------Options--------#
set block-policy drop
set loginterface $ext_if
#set skip on lo0

#------------------------Normailize------#
scrub out log on $ext_if all random-id min-ttl 15 set-tos 0x1c fragment reassemble
scrub log on $ext_if all reassemble tcp fragment reassemble

scrub in on $ext_if all fragment reassemble
#------------Qeueing------------------#
#------------NAT RDR------------------#
#nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)

rdr pass inet proto tcp from 10.191.135.0/24 to any -> 10.191.135.1 port 3130
no nat on $int_if proto tcp from $int_if to 10.191.135.1 port 3130
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
#pass in on egress proto tcp from any to any port 80 rdr-to 10.191.135.1 port 3130
#rdr pass on $int_if inet proto $ttcp from any to any -> 10.191.135.1 port 3130
#nat on $ext_if inet from !($ext_if) to any -> ($ext_if)
#----------FILTERING-----------------#
block all
block inet proto icmp from any to any
antispoof for $ext_if inet
block in quick on $ext_if from $martians
block out quick on $ext_if from 172.217.0.0/16

#pass in on $ext_if inet proto tcp from any to ($ext_if) port 22 flags S/SAFR keep state


pass in quick on $ext_if
pass in quick on $int_if
pass out keep state
rc.conf #sorry its a little redundant and unclean
Code:
zfs_enable="YES"
clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
hostname="ampshock.com"
#ipv6_activate_all_interfaces="YES"
moused_enable="YES"
hald_enabla="YES"
dbus_enable="YES"
ifconfig_em0="DHCP -lro -tso"
#ifconfig_em0_ipv6="inet6 accept_rtadv"
rtsold_enable="YES"
wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostapd"
ifconfig_wlan0="inet 10.191.135.1 netmask 255.255.255.0 ssid UP8 mode 11g channel 1"
hostapd_enable="YES"
dhcpd_ifaces="wlan0"
dhcpd_enable="YES"
dhcpd_ifaces="wlan0"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
gateway_enable="YES"
linux_enable="YES"
powerd_enable="YES"
dumpdev="NO"
pf_enable="YES"
pf_rules="/etc/pf2.conf"
pf_program="/sbin/pfctl"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
ntpd_enable="YES"
darkstat_enable="YES"
darkstat_interface="em0"
vnstat_enable="YES"
squid_enable="YES"
squid.conf
Code:
#
# Recommended minimum configuration:
#

acl localnet src 0.0.0.1-0.255.255.255    # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8        # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10        # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16     # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12        # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16        # RFC 1918 local private network (LAN)
acl localnet src fc00::/7           # RFC 4193 local private network range
acl localnet src fe80::/10          # RFC 4291 link-local (directly plugged) machines
acl localnetwork src 10.191.135.0/24    #internal network

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

visible_hostname ampshock.com:3128

http_access deny !Safe_ports


http_access deny CONNECT !SSL_ports


http_access allow localhost manager
http_access deny manager



http_access allow localnet
http_access allow localhost
http_access allow localnetwork

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128
http_port 3130 intercept

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320
 
Last edited:

VladiBG

Aspiring Daemon

Reaction score: 243
Messages: 602

For the transparent proxy you need to build the squid from the ports /usr/ports/www/squid and enable TP_PF (transparent proxy with PF) at the bottom of the configuration page because the default pkg installation is build with TP_IPFW to verify this use squid -v and check for --enable-pf-transparent and --with-nat-devpf options

portsnap auto
cd /usr/ports/www/squid
make config
make
(you need to delete the prevision installation from the pkg first)
make install clean

edit the /usr/local/etc/squid/squid.conf (if your hostname is registered in the DNS then use FQDN otherwise use IP address as visible hostname)
vi /usr/local/etc/squid/squid.conf

Code:
# setup your local network and put comment in front of the others as your wan interface is in class C

acl localnet src 0.0.0.1-0.255.255.255    # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8        # RFC 1918 local private network (LAN)
#acl localnet src 100.64.0.0/10        # RFC 6598 shared address space (CGN)
#acl localnet src 169.254.0.0/16     # RFC 3927 link-local (directly plugged) machines
#acl localnet src 172.16.0.0/12        # RFC 1918 local private network (LAN)
#acl localnet src 192.168.0.0/16        # RFC 1918 local private network (LAN)
#acl localnet src fc00::/7           # RFC 4193 local private network range
#acl localnet src fe80::/10          # RFC 4291 link-local (directly plugged) machines

# add the visible hostname
visible_hostname 10.191.135.1

http_port 3128
# add the listening intercept port
http_port 3139 intercept

PF rules
Code:
TRANSLATION RULES:

nat on em0 inet from 10.191.135.0/24 to any -> (em0) round-robin
rdr pass inet proto tcp from 10.191.135.0/24 to any port 80 -> 10.191.135.1 port 3129

FILTER RULES:
scrub in all fragment reassemble
pass quick on lo0 all flags S/SA keep state
pass in quick on wlan0 all flags S/SA keep state
pass out all flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass out on em0 proto tcp all flags S/SA modulate state
pass out on em0 proto udp all keep state
pass out on em0 proto icmp all keep state
squid need to have read access on /dev/pf edit
/etc/devfs.conf
Code:
own     pf      root:squid
perm    pf      0640
restart the devfs

https://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf
 

obsigna

Aspiring Daemon

Reaction score: 558
Messages: 956

Perhaps the following unbound(8) method could be useful for your goals. On the gateway in unbound.conf(5) you would set up void-zones for all top level domains (which I copied from the IANA Root Zone Database), like so:
Code:
local-zone: "aaa" static
local-zone: "aarp" static
local-zone: "abarth" static
local-zone: "abb" static
local-zone: "abbott" static
local-zone: "abbvie" static
local-zone: "abc" static
local-zone: "able" static
local-zone: "abogado" static
local-zone: "abudhabi" static
local-zone: "ac" static
local-zone: "academy" static
local-zone: "accenture" static
local-zone: "accountant" static
local-zone: "accountants" static
local-zone: "aco" static
local-zone: "active" static
local-zone: "actor" static
local-zone: "ad" static
local-zone: "adac" static
local-zone: "ads" static
local-zone: "adult" static
local-zone: "ae" static
local-zone: "aeg" static
local-zone: "aero" static
local-zone: "aetna" static
local-zone: "af" static
local-zone: "afamilycompany" static
local-zone: "afl" static
local-zone: "africa" static
...
# (use the complete list, which I attached to this message)
These empty local zones let Unbound resolve everything, and I mean really everything, including all sub-domains to NXDOMAIN. Now, right before that list you add another local-zone:, namely one for biblehub.com as follows:
Code:
localzone: "biblehub.com" transparent
This would in effect turn Unbound into a resolver for all sub-domains of biblehub.com and nothing else.

Now you would need to force all clients behind the gateway to use only it’s DNS service, and you could do this using the firewall. I cannot tell much about pf, so I give the rules for ipfw(8) here:
Code:
...
# Block DoT, DoH and DNS bypassing via CloudFlare's 1... and Google's 8...
/sbin/ipfw -q add 93 deny ip from any to 1.0.0.0/24,1.1.1.0/24 53,853
/sbin/ipfw -q add 94 deny ip from any to 1.0.0.0/24,1.1.1.0/24 443
/sbin/ipfw -q add 95 deny ip from any to 8.0.0.0/9 53,853
/sbin/ipfw -q add 96 deny ip from any to 8.0.0.0/9 443

# Prevent clients to use external SMTP and DNS services
/sbin/ipfw -q add 1000 deny ip from not me to any 25,53,853 out xmit $WAN
/sbin/ipfw -q add 1010 deny ip from any to any 5353 out xmit $WAN
 

Attachments

OP
OP
ampshock

ampshock

New Member

Reaction score: 4
Messages: 13

For the transparent proxy you need to build the squid from the ports
seems like the best solution. VladiBG your configuration works great thanks!

Perhaps the following unbound(8) method could be useful for your goals.

Great idea, worth a try! I’m not sure I like squid getting root access but maybe I can install squid in a jail? And try your unbound approach
 
Last edited:

VladiBG

Aspiring Daemon

Reaction score: 243
Messages: 602

squid is not getting root access it run under it's own user and group which need to have read permission over the NAT. After you have proxy up and runing you can extend it with content filtering like e2guardian (a dansguardian fork). Don't forget that you have to block all other internet traffic and let only the traffic that pass trough your proxy. Otherwise it's easy to avoid the filtering using vpn or public proxy service.
 
OP
OP
ampshock

ampshock

New Member

Reaction score: 4
Messages: 13

Im not sure if indentation matters in unbound.conf but I was able to indent 999 lines of code in obsigna's txt file by using vi and by pressing ESC to get into normal mode then 999 > "down arrow" this shifted approximately 1000 lines

I was not skilled enough to get squid to work properly fallowing VladiBG configuration because it seems like He put "scrub in all fragment reassemble" after the redirect and NAT which caused a syntax error with PF because PF requires a certain order of operations in the configuration and because this was out of order PF would not even start. I wasn't able to fix it or fix the Squid configuration file so I used obsigna's method which so far seems to work. Thanks! I run into holes with the unbound method I might take another stab at Squid.
 

VladiBG

Aspiring Daemon

Reaction score: 243
Messages: 602

If you look again you will see that this is not the actual configuration of pf.conf. It's the output of pfctl -sn and pfctl -sr which doesn't show the rule order:
Code:
ext_if="hn0"
int_if="hn1"

icmp_types = "echoreq"


set block-policy return
set loginterface $ext_if
set skip on lo0
scrub in all


nat on $ext_if inet from $int_if:network to any -> ($ext_if)
rdr pass inet proto tcp from 10.0.1.0/24 to any port 80 -> 10.0.1.1 port 3129

block in
pass quick on lo0 all
pass in quick on $int_if
pass out keep state

# allow local squid connections
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state

# allow access to www
pass in on $int_if inet proto tcp from any to any port www keep state

# allow ping
pass in inet proto icmp all icmp-type $icmp_types keep state

# allow all trafic from internal network to internal interface
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

# allow all trafic out via external interface
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass in  on $ext_if inet proto gre to $ext_if keep state
 

obsigna

Aspiring Daemon

Reaction score: 558
Messages: 956

Im not sure if indentation matters in unbound.conf but I was able to indent 999 lines of code in obsigna's txt file by using vi and by pressing ESC to get into normal mode then 999 > "down arrow" this shifted approximately 1000 lines
Indentation in unbound.conf(5) is merely decorative, it would work without as well. It would have been possible also to include said text file as is into unbound.conf using the include directive.

... so I used obsigna's method which so far seems to work. Thanks! I run into holes with the unbound method ...
I am not a native English speaker, and I cannot seem to understand the exact meaning of „... running into holes ...“ Are there some domains which are not blocked?
 
OP
OP
ampshock

ampshock

New Member

Reaction score: 4
Messages: 13

VladiBG Thanks! ill try that

obsigna
One problem I see using unbound is that certain website features will not load because the Javascript or Java or some other item might be located on another server that is not labeled in my unbound.conf to be transparent. I might have to try and capture packets to see which domain names I need to make transparent for full functionality to a university website .edu

I mean some websites do not function normally or at all like canvas.emich.edu
or maybe its just my Firefox Browser on FreeBSD?
 
OP
OP
ampshock

ampshock

New Member

Reaction score: 4
Messages: 13

I was able to capture the DNS requests that I was missing and I noticed that canvas.emich.edu was requesting a resolve for a few not in my unbound configuration :
namely:
Code:
fonts.googleapis.com
ssl.google-analytics.com
cloudfront.net
 
Last edited:
OP
OP
ampshock

ampshock

New Member

Reaction score: 4
Messages: 13

Are there any resources or tutorials for setting up certificates with squid to intercept HTTPS traffic as a man in the middle on a separate FreeBSD Box acting as a router, because I don't know enough about squid and setting up a certificate to intercept and filter HTTPS
 
Top