OPNsense Forum

Archive => 15.1 Legacy Series => Topic started by: StP on May 21, 2015, 04:53:17 pm

Title: Firewalls/Aliases: Using wildcards to allow traffic
Post by: StP on May 21, 2015, 04:53:17 pm

Hi,

I have several machines that are not allowed to access the WAN. I have created a firewall rule for that.
Problem: All machines run Secunia's CSI agent (www.secunia.com).
The firewall requirement for this agent is: "Allow https to *.secunia.com"
How do I create such a rule? It seems wildcards are not supported.

Regards
  StP

Title: Re: Firewalls/Aliases: Using wildcards to allow traffic
Post by: franco on May 22, 2015, 11:55:28 am

This is overly tricky, because:

(a) you are not using MITM decryption

Unless you monitor the DNS queries of your system, you'll never know which page HTTPS is using since it's encrypted. Even that is not completely sane, the best you can do is add an IP alias list for the host and open port 443 with the same rule.

One could also monitor the SSL header for the Common Name / Hostname, but that is not supported by pf(4).

http://wiki.squid-cache.org/Features/SslPeekAndSplice

(b) you want to use MITM decryption

This requires proxying with relayd(8) or another sophisticated application we do not currently provide a GUI for.


A large number of commercial firewall supports this natively, but it is still a largely unavailable open source firewall distro feature.

Title: Re: Firewalls/Aliases: Using wildcards to allow traffic
Post by: StP on May 22, 2015, 01:01:31 pm

Franco,

thanks for sharing.

I will talk to Secunia, perhaps there is a short list of hosts that I need to allow connections to.

StP