Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to block traffic based on URL pattern?

    Scheduled Pinned Locked Moved
    Firewalling
    2
    3
    66
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      blurb-baked-golf
      last edited by

      Hello,

      I'm a newbie for pfSense. I wonder how I can prevent any traffic based on a URL pattern. for example, I'm trying to block any traffic with a URL starting with a dot, as in https://<myIP>/.env

      After reading some articles, I created a rule in snort as follows but it didn't work

      Services -> Snort -> Interface Settings -> LAN - Rules -> Category Selection: Custom Rules

      alert tcp any any -> any 443 (msg:"Blocked file starting with a dot"; content:"GET /."; depth:6; http_uri; sid:1000001; rev:1;)
alert tcp any any -> any 80 (msg:"Blocked file starting with a dot"; content:"GET /."; depth:6; http_uri; sid:1000002; rev:1;)

      Thanks in advance for your help...

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        pfSense cannot do what you want. The pf firewall engine only works with IP addresses. It cannot do DPI (deep packet inspection). This means it cannot make a firewall decision based on the payload data of a packet.

        The Snort or Suricata packages can perhaps do what you want, but you are going to run into the problem of encrypted network traffic. Almost nothing today uses HTTP on port 80. That is the very old cleartext web protocol port. Today, almost everything web-based is going to use port 443 which is HTTPS (SSL encryption). That means the packet content is encrypted and cannot be viewed as cleartext by anything in transit. The only two hosts that can see the contents of the packets are the workstation (browser app) and the target server (the website server).

        You can, with great difficulty and lots of pitfalls, implement a MITM (man-in-the-middle SSL interception strategy). But that requires placing custom trusted certificates on all clients in the network and configuring them to use a proxy. Then you have to direct the decrypted traffic from the proxy to the IDS package. None of this is supported natively on pfSense.

        You could sort of do some of what you desire using the Python option with the DNS Resolver in pfSense. That tools lets you filter on domains being looked up by the resolver and block resolution of domain names matching a pattern or list. But this is not looking at the content of the URL. Instead, it is simply intercepting the DNS lookup request of the web browser client.

        B 1 Reply Last reply Reply Quote 0
        • B
          blurb-baked-golf @bmeeks
          last edited by

          @bmeeks

          Thank you so much for such detailed explanation. It make sense why all my trials went in vain…

          I will not overload the hardware with additional software that may or may not work.

          For all of our web faced servers, they are behind a load balancers, and it make sense to use the load balancers to kill such traffic…

          Appreciate your help so much

          Happy thanksgiving to you, family and all pfSense users ☺️

          1 Reply Last reply Reply Quote 0
          • First post
            Last post