OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 15.1 Legacy Series »
  • Firewalls/Aliases: Using wildcards to allow traffic
« previous next »
  • Print
Pages: [1]

Author Topic: Firewalls/Aliases: Using wildcards to allow traffic  (Read 7607 times)

StP

  • Jr. Member
  • **
  • Posts: 58
  • Karma: 2
    • View Profile
Firewalls/Aliases: Using wildcards to allow traffic
« on: May 21, 2015, 04:53:17 pm »
Hi,

I have several machines that are not allowed to access the WAN. I have created a firewall rule for that.
Problem: All machines run Secunia's CSI agent (www.secunia.com).
The firewall requirement for this agent is: "Allow https to *.secunia.com"
How do I create such a rule? It seems wildcards are not supported.

Regards
  StP
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13633
  • Karma: 1174
    • View Profile
Re: Firewalls/Aliases: Using wildcards to allow traffic
« Reply #1 on: May 22, 2015, 11:55:28 am »
This is overly tricky, because:

(a) you are not using MITM decryption

Unless you monitor the DNS queries of your system, you'll never know which page HTTPS is using since it's encrypted. Even that is not completely sane, the best you can do is add an IP alias list for the host and open port 443 with the same rule.

One could also monitor the SSL header for the Common Name / Hostname, but that is not supported by pf(4).

http://wiki.squid-cache.org/Features/SslPeekAndSplice

(b) you want to use MITM decryption

This requires proxying with relayd(8) or another sophisticated application we do not currently provide a GUI for.


A large number of commercial firewall supports this natively, but it is still a largely unavailable open source firewall distro feature.
Logged

StP

  • Jr. Member
  • **
  • Posts: 58
  • Karma: 2
    • View Profile
Re: Firewalls/Aliases: Using wildcards to allow traffic
« Reply #2 on: May 22, 2015, 01:01:31 pm »
Franco,

thanks for sharing.

I will talk to Secunia, perhaps there is a short list of hosts that I need to allow connections to.

StP
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 15.1 Legacy Series »
  • Firewalls/Aliases: Using wildcards to allow traffic
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2