3

I have a freebsd 9.0 router with 250-300Mbit/s traffic, and need to filter small list of pages (http.request.uri).

I do not care about tor, anonymizers, proxy etc. Just prevent direct access from my network to this pages.

How? Only redirect http to squid or any other http-proxy?

I know about tcpdump -ddd and bpf netgraph node. But http is to hard for me.

Korjavin Ivan
  • 2,250
  • 2
  • 26
  • 41
  • 1
    +1 Interesant question. So, you currently have a two interfaced FBSD box, currently with NAT-ed (pf?) routing, (therefore don't want use proxy) and want block http requests to exactly defined URIs at some of your interface? – clt60 Sep 27 '12 at 15:09
  • Yes, ipfw ngnat and routing. – Korjavin Ivan Sep 28 '12 at 04:26

2 Answers2

1

If you don't want use proxy (e.g. transparently redirecting all traffic via ipfw rule to proxy - users don't notice anything) - for the solution you need something what is capable to deep packet inspection.

Check the: http://sourceforge.net/projects/ipfw-classifyd/ it should do what you want, "layer7 filtering" with ipfw. (or with pf too)

Or, download pfSense (freebsd based excellent firewall) and check how to use it. According the docs, (http://doc.pfsense.org/index.php/Traffic_Shaping_Guide#Layer_7) it is uses ipfw-classifyd.

Ps: only wondering why do you don't using pf instead of ipfw+ngnat)

clt60
  • 414
  • 3
  • 10
0

If the list is small, you could just blacklist the IPs in the firewall.

Of course you have to check from time to time, if the pages moved to another site. You could do this with a cron script.

arved
  • 453
  • 2
  • 14
  • I cant use ip. Its about big services like youtube. – Korjavin Ivan Sep 26 '12 at 12:30
  • youtube sounds like fun, i noticed for example that the google chrome updater sometimes downloads his updates from a youtube domain – arved Sep 26 '12 at 15:09
  • see also http://stackoverflow.com/questions/9342782/is-there-a-way-to-get-all-ip-addresse-of-youtube-to-block-it-with-windows-firewa Messing with DNS is also a solution, if your users are unskilled – arved Sep 26 '12 at 15:11
  • yes. dns work for hosts. My problem is that i have list of http url. – Korjavin Ivan Sep 27 '12 at 03:52
  • so if you need to filter on http protocol, setting up a transparent proxy with squid is fairly easy. you can find lots of howtos on the net – arved Sep 27 '12 at 12:41
  • Yep, i know about squid, i write about it in Q. But i still hope on another solution – Korjavin Ivan Sep 27 '12 at 13:41
  • I'm not sure you can do it without http proxy : Even if you manage to drop TCP packets containing stuff like GET / HTTP/1.1 host: www.youtube.com then, how would you prevent users accessing httpS://www.youtube.com with ssl? –  Sep 28 '12 at 15:24