• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How to block traffic based on URL pattern?

Scheduled Pinned Locked Moved Firewalling
3 Posts 2 Posters 221 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    blurb-baked-golf
    last edited by Nov 26, 2024, 4:20 PM

    Hello,

    I'm a newbie for pfSense. I wonder how I can prevent any traffic based on a URL pattern. for example, I'm trying to block any traffic with a URL starting with a dot, as in https://<myIP>/.env

    After reading some articles, I created a rule in snort as follows but it didn't work

    Services -> Snort -> Interface Settings -> LAN - Rules -> Category Selection: Custom Rules

    alert tcp any any -> any 443 (msg:"Blocked file starting with a dot"; content:"GET /."; depth:6; http_uri; sid:1000001; rev:1;)
    alert tcp any any -> any 80 (msg:"Blocked file starting with a dot"; content:"GET /."; depth:6; http_uri; sid:1000002; rev:1;)
    
    

    Thanks in advance for your help...

    1 Reply Last reply Reply Quote 0
    • B
      bmeeks
      last edited by bmeeks Nov 26, 2024, 11:17 PM Nov 26, 2024, 6:00 PM

      pfSense cannot do what you want. The pf firewall engine only works with IP addresses. It cannot do DPI (deep packet inspection). This means it cannot make a firewall decision based on the payload data of a packet.

      The Snort or Suricata packages can perhaps do what you want, but you are going to run into the problem of encrypted network traffic. Almost nothing today uses HTTP on port 80. That is the very old cleartext web protocol port. Today, almost everything web-based is going to use port 443 which is HTTPS (SSL encryption). That means the packet content is encrypted and cannot be viewed as cleartext by anything in transit. The only two hosts that can see the contents of the packets are the workstation (browser app) and the target server (the website server).

      You can, with great difficulty and lots of pitfalls, implement a MITM (man-in-the-middle SSL interception strategy). But that requires placing custom trusted certificates on all clients in the network and configuring them to use a proxy. Then you have to direct the decrypted traffic from the proxy to the IDS package. None of this is supported natively on pfSense.

      You could sort of do some of what you desire using the Python option with the DNS Resolver in pfSense. That tools lets you filter on domains being looked up by the resolver and block resolution of domain names matching a pattern or list. But this is not looking at the content of the URL. Instead, it is simply intercepting the DNS lookup request of the web browser client.

      B 1 Reply Last reply Nov 26, 2024, 8:51 PM Reply Quote 0
      • B
        blurb-baked-golf @bmeeks
        last edited by Nov 26, 2024, 8:51 PM

        @bmeeks

        Thank you so much for such detailed explanation. It make sense why all my trials went in vain…

        I will not overload the hardware with additional software that may or may not work.

        For all of our web faced servers, they are behind a load balancers, and it make sense to use the load balancers to kill such traffic…

        Appreciate your help so much

        Happy thanksgiving to you, family and all pfSense users ☺️

        1 Reply Last reply Reply Quote 0
        1 out of 3
        • First post
          1/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received