Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
15.1 Legacy Series
»
Firewalls/Aliases: Using wildcards to allow traffic
« previous
next »
Print
Pages: [
1
]
Author
Topic: Firewalls/Aliases: Using wildcards to allow traffic (Read 23300 times)
StP
Jr. Member
Posts: 62
Karma: 2
Firewalls/Aliases: Using wildcards to allow traffic
«
on:
May 21, 2015, 04:53:17 pm »
Hi,
I have several machines that are not allowed to access the WAN. I have created a firewall rule for that.
Problem: All machines run Secunia's CSI agent (
www.secunia.com
).
The firewall requirement for this agent is: "Allow https to *.secunia.com"
How do I create such a rule? It seems wildcards are not supported.
Regards
StP
Logged
franco
Administrator
Hero Member
Posts: 17473
Karma: 1587
Re: Firewalls/Aliases: Using wildcards to allow traffic
«
Reply #1 on:
May 22, 2015, 11:55:28 am »
This is overly tricky, because:
(a) you are not using MITM decryption
Unless you monitor the DNS queries of your system, you'll never know which page HTTPS is using since it's encrypted. Even that is not completely sane, the best you can do is add an IP alias list for the host and open port 443 with the same rule.
One could also monitor the SSL header for the Common Name / Hostname, but that is not supported by pf(4).
http://wiki.squid-cache.org/Features/SslPeekAndSplice
(b) you want to use MITM decryption
This requires proxying with relayd(
or another sophisticated application we do not currently provide a GUI for.
A large number of commercial firewall supports this natively, but it is still a largely unavailable open source firewall distro feature.
Logged
StP
Jr. Member
Posts: 62
Karma: 2
Re: Firewalls/Aliases: Using wildcards to allow traffic
«
Reply #2 on:
May 22, 2015, 01:01:31 pm »
Franco,
thanks for sharing.
I will talk to Secunia, perhaps there is a short list of hosts that I need to allow connections to.
StP
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
15.1 Legacy Series
»
Firewalls/Aliases: Using wildcards to allow traffic