Workstation software blocking



  • On PFS I was wanting to know whats the best way to block workstation software by its name from connecting to the net?
    With out using a  workstation firewall. I know some software firewalls can be set up that way. But can I do it on my PFS ???



  • @ventiman:

    On PFS I was wanting to know whats the best way to block workstation software by its name from connecting to the net?

    Sorry I don't understand the question. You want pfSense to block Internet access from a workstation depending on the name of the software running on the workstation; for example, block Internet Explorer on the workstation from accessing google.com but allow Firefox to access google.com?


  • Banned

    Not possible. Completely different OSI layer. Dunno what "some software firewalls" you mean, e.g. with iptables you can only do this for traffic originating from localhost - obviously. E.g.

    
    iptables -A OUTPUT -m owner --cmd-owner firefox -j DROP
    
    

    For traffic originating on other machines, you have no information about the process that created the packet, hence you cannot filter it this way.



  • "Some firewalls" was referring to say firewall that comes with windows or zone alarm few others I'm sure.

    Prevent a Program from Accessing the Internet. I remember you could do that on theres. I just was wanting to know if can be done PFS way. If not, then I'll have to install or turn on windows firewall on some workstations  to use that aspect of it.


  • Banned

    Already answered. No. Kindly note the subtle difference about "localhost". Those "Some firewalls" will block exactly nothing in this respect when running on router while the applications run on workstations.



  • You may be able to block certain software if what it does is unique enough to flag on a L7 rule.  You probably won't be able to do something like block web traffic from an app though unless the traffic is all directed at a single server which you could then block.



  • @doktornotor:

    Already answered. No. Kindly note the subtle difference about "localhost". Those "Some firewalls" will block exactly nothing in this respect when running on router while the applications run on workstations.

    So your saying software firewalls will not do any outbound protection on a  localhost.?


  • Banned

    @ventiman:

    So your saying software firewalls will not do any outbound protection on a  localhost.?

    No, that's not what I'm saying at all. Read again.



  • The firewall can only see actual packets of data traveling between the LAN clients and the big bad internet. The firewall is (usually with pfSense) also the router. So it "naturally" sees the layer 3 contents of packets - ultimate destination IP, supposed source IP (the client can spoof that of course, if it wants to make some nasty attack somewhere and doesn't care that replies do not get back to it). And can easily look a little higher in the network protocol, at the port numbers for TCP/UDP… or other packet types like ICMP... So it can easily make filtering decisions on that information. Ultimately that is a kind of "sledge-hammer" approach, but it is quick and effective - the firewall (a list from somewhere...) knows the IP address/protocol/port combinations of nasty places and just blocks them, whole sites are blocked because they have some bad content... It is effective because usually a site with bad content has lots of bad content and very little good (if any). Sites that just get a little bit of bad content accidentally, will clean up their act to avoid being blocked, and then get themselves removed from the "bad" list/s.
    Layer 7 filtering is also possible - with good enough software and CPU to pull apart the guts of each packet and try and reverse engineer what the application is. If you are lucky, it might be HTTP to/from a browser that identifies which browser it is and what version. You can pass/block on that sort of thing. But, for example, you might want to block Firefox sourced HTTP (just an example, no idea why you would want this), so you find layer7 software that can do this. Then the client user simply selects a setting in Firefox that is "emulate Internet Explorer". Then Firefox sends identification strings/versions... that look just like IE. Your "Firefox block" rule does not work. Someone can write any program and have it send/receive HTTP traffic that looks just like what Firefox does, but they are not running Firefox.exe on their client. The layer 7 will match it and think it is Firefox. Ultimately, layer 7 packet inspection can say "the user seems to be doing communications using an application protocol that is [known to be dangerous|sucks bandwidth|other reason we do not want it]". But it can't say "the user is running skype.exe".
    And then the application switches to use https: and you have loads more trouble seeing the layer7 application data!



  • You could do it easily with Squid.

    http://blog.wains.be/2007/06/07/blocking-internet-explorer-with-the-squid-web-proxy/

    Don't edit directly the Squid config file. Use the Custom Options text area on Services / Proxy Server menu on pfSense.