Application filtering

techbee · May 31, 2017, 3:48 PM

is there an application filtering with pfsense?

heper · May 31, 2017, 7:11 PM

Not as far as I know. L7 filtering has been Broken for a long long time.

johnpoz · May 31, 2017, 7:51 PM

Define what you consider application filtering..

While L7 or DPI (deep packet inspection) to determine the type of traffic and then block that then helper is right.

But if you want to block say outbound smtp, which is application that uses tcp 25, you can filter that. Or if you wanted to block dns which is on 53 you could block that, etc.

What exactly are you looking to accomplish?

AR15USR · May 31, 2017, 10:06 PM

Johnpoz, is there any plans in the future to have L7 or DPI filtering fixed/implemented?

techbee · May 31, 2017, 11:19 PM

I am trying to block any vpn traffic going in and out. I searched google and it gave me sophos. but since im using pfsense, i just want to do it with pfsense.

kpa · Jun 1, 2017, 8:29 AM

As a starter you could block outgoing connections to port 1194 but that won't block VPNs that use some other port than the officially allocated OpenVPN port 1194. If that is not enough for you I'm afraid pfSense won't be able to do much more. The PF packet filter is a strict layer 3 filter and inspects only the IP header information in packets, the data payload where the interesting information about for example the VPN protocol used might be found is not available for the filter rules.

There was an L7 filtering option in pfSense (what the other guys are referring to) that used an external helper to analyse the application level data in packets but the implementation was deemed unsatisfactory and it was axed.

heper · Jun 1, 2017, 11:19 AM

I've read that their might be a possibility to use ntopng's nDPI to mark packets. But i'm unsure if pf has the option to mark/match packets in such a way

kpa · Jun 1, 2017, 11:57 AM

PF doesn't have an API for external filters/helpers so it's not possible to get the analyzed traffic "fed" back to PF and continue the normal filtering process as if the traffic just arrived. There are of course some serious performance considerations for such an API, the helpers if allowed would have to run in kernel space because the filtering happens in interrupt context where every CPU cycle is precious so you can't allow the helpers to do whatever they want. This is probably why IPtables for example only allows simple pattern matching on the data payload and not much else.

johnpoz · Jun 9, 2017, 5:43 PM

If what your looking to do is block vpn.. Why can you not just do that with snort or suricata? I would think those could detect the different vpn signatures of the traffic..

Guest · Jul 16, 2017, 8:27 PM

@johnpoz:

If what your looking to do is block vpn.. Why can you not just do that with snort or suricata? I would think those could detect the different vpn signatures of the traffic..

You are right this could be perhaps done with snort and app-detect.rules (OpenAppID Application Rules)