In <[🔎] 12ece38cdc9.930887499216092428.2266832439697170640@zoho.com>, johhny_at_poland77 wrote: >Does somebody has an idea, that what kind of iptables/pf rule must i use to >achieve this?: > >i only want to allow these connections [on the output chain]: > >on port 53 output only allow udp - dns >on port 80 output only allow tcp - http >on port 443 output only allow tcp - https >on port 993 output only allow tcp - imaps >on port 465 output only allow tcp - smtps >on port 22 output only allow tcp - ssh >on port 20-21 output only allow cp - ftp >on port 989-990 output only allow tcp - ftps >on port 1194 output only allow udp - OpenVPN > >So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is >allowed on port 443 outbound. How do you expect iptables to tell the difference between an outbound HTTPS connection and on outbound OpenVPN connection? The IP protocol doesn't contain much more information than the IP address. The TCP and UDP protocols on top of it don't contain much more information than the port number. Virtually all iptables modules either act at IP protocol information or TCP/UDP protocol information. There was an "l7filter" or "l7protocol" iptables module maintained outside the iptables project that was supposed to scan the data passing over the virtual circuit to try and determine the higher layer protocols, but I don't know if it is still around, nor if it can tell HTTPS from OpenVPN. It is difficult to impossible to determine exactly what protocol is being used when good encryption is in play. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Attachment:
signature.asc
Description: This is a digitally signed message part.