Can i create a rule to block a specific application?

Started by sairfan1, June 27, 2022, 07:32:44 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 27, 2022, 07:32:44 PM
I got back to firewall world after a very long time, last time i used ISA Server where i had the option to stop an application to communicate to internet/WAN network for example

I can create a rule that block any traffic coming from any internal network/IP sent through application skyp.exe

if that is something not possible through OPNSense, can you please advise what could be the closest solution, how can i filter traffic to understand blocking parameters for example

Can I create a rule to show only out going traffic from internal IP xxx.xxx.x.x containing URL/Querystring 'xyz'
June 27, 2022, 08:30:27 PM #1
As far as any specific application goes, you can block on an IP / port basis, because that is what a socket is, namely a quadruple of src/dst IPs and Ports. If you know the specific application ports and can be sure that nobody just alters them to fit their needs (i.e. circumvent your filters), you can disable that.

Other than that, some applications can be seen by introspection of the traffic itself, but that is getting much more difficult these days because most applications communicate with encryption.

TLS/HTTPS is not an exception to this rule, but there is a possibility to have your firewall be set up as a mandatory proxy in which case you could do MITM via two bidirectional encrypted channels (client <-> firewall <-> target). Other than that, you can only see / filter the target host and not the URL with TLS.

Identifying the process is virtually impossible because you do not see that on the line, either.

If your target is to lock down specific machines to do only what you allow them to, you would have to use a software firewall on the client machine (like Microsoft parental controls). If someone can install software on the client, they can easily circumvent your filters by VPN solutions.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
July 04, 2022, 12:21:55 PM #2
Depending on the application you would like to block, you cloud use Sensei / Zenarmour plugin to do so.

Checkout this section in the forum:
https://forum.opnsense.org/index.php?board=38.0
July 04, 2022, 01:11:19 PM #3
It is possible to use Snort or Surricata to block specific applications, you can either go for free sollution which is createing custom rule or paid sollution and try to find Surricata or Snort license seller, which has applications included on their rulesets.

You can also TECHNICALLY block apps based on local ports they use (for example in windows firewall you can assign them to use specific local port instead of any on outbound connections)
Print
Go Up Pages1
User actions