1

I wish to make a secure environment and to block uploading to any destination on the Internet, how can I achieve that using pfSense.

Does pfSense is the right tool for it?

I tried to limit the upload to 8 bits per second and I can not download right now (it's also got limited).

Does squid can be a good solution for what I searched for?

p.s. I still want to download files via git, http, https, ssh for example yarn install and "composer install" should work.

The goal is to block upload of files outside from the pfSense.

Dharman
  • 30,962
  • 25
  • 85
  • 135
llioor
  • 5,804
  • 4
  • 36
  • 44
  • What do you mean by upload? if you request a web page, you upload that request, and download the response, for every tcp segment you receive (download) you need to send an ack (that is upload). (yes there is a tcp window but that's not the point), – on8tom Feb 26 '21 at 12:25
  • pfsense is essentially a router os based on free bsd. squid and snort are software packages, both available on pfsense. – on8tom Feb 26 '21 at 12:27
  • Are you willing to completely break SSL and other encryption on your local network? – on8tom Feb 26 '21 at 12:27
  • I answered with "Edit" – llioor Feb 27 '21 at 17:48

2 Answers2

0

tl;dr : You can't! But you can use trickle

Explanation

Since every time we create a tcp session - we upload data to the internet, and it doesn't matter if its a 3-way-handshake, http request or post a file to the server, you can not have the ability of creating a session without being able to upload data to the internet. What you can do- is limit the bandwidth per application.

Workaround 1

You can use trickle.

sudo apt-get install trickle

You can limit upload/download for a specific app by running

trickle -u (upload limit in KB/s) -d (download limit in KB/s) application

This way you can limit http/other applications, but still being able to use git.

Workaround 2

Another way to Deny all application from accessing the internet, and allow only applications by exception.

ALUFTW
  • 1,914
  • 13
  • 24
0

in short, you can't do it with stock pf sense,

You'll need a firewall which can inspect SSL and SSH,

You can run squid proxy on pfsense, and that can sslbump. which can be used to inspect HTTPS traffic. and with squid you can block file upload, for http (and https with sslbump)

If you want to inspect SSH and limit file upload via SSH,

you'll need a Palo Alto or a Fortigate or another next-gen firewall which can inspect SSH.

on8tom
  • 1,766
  • 11
  • 24