From owner-freebsd-pf@FreeBSD.ORG Fri Aug 19 12:38:47 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D670106564A for ; Fri, 19 Aug 2011 12:38:47 +0000 (UTC) (envelope-from david@davidandrzejewski.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 1CCA28FC12 for ; Fri, 19 Aug 2011 12:38:46 +0000 (UTC) Received: by ywo32 with SMTP id 32so2492132ywo.13 for ; Fri, 19 Aug 2011 05:38:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=davidandrzejewski.com; s=mail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=+CjbkeRwjt1lm5Bc8aZWMV4qiNpkVUZ00XFS9b2Wrhg=; b=PMlYs2buB99owqtnSZSbZA3qs4G4ymKDN+AOjjKemWjFMift7+DIrZ/pumdtycx+AX TYd2tzCza81yNEy2vyDrz4VijxUbmOmHFbV3k+LyOY7rPAZn/E9L8oTKYpJRULEobFO2 JigeOU9QAqbNOXWRWv5yfdYILAZMpwjS8z4WU= Received: by 10.101.111.1 with SMTP id o1mr2189664anm.49.1313756202117; Fri, 19 Aug 2011 05:16:42 -0700 (PDT) MIME-Version: 1.0 Received: by 10.100.46.18 with HTTP; Fri, 19 Aug 2011 05:16:22 -0700 (PDT) In-Reply-To: <9EB23F6C23A8B6488E8BCC92A48E83261277D43E76@PEMEXMBXVS04.jellyfishnet.co.uk.local> References: <50952547-ec21-41a5-b54d-0d7466a6dcd6@jenny> <17390d5c-d9ec-4594-ad53-abaf6cd91135@jenny> <9EB23F6C23A8B6488E8BCC92A48E83261277D43E76@PEMEXMBXVS04.jellyfishnet.co.uk.local> From: David Andrzejewski Date: Fri, 19 Aug 2011 08:16:22 -0400 Message-ID: To: "freebsd-pf@freebsd.org" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: blocking spotify with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2011 12:38:47 -0000 Agreed, you probably want to look into blocking all by default, opening up what you want to allow (even if it is just about everything else), forcing all web traffic through a transparent proxy. Consider squid with squidguard and a good set of blacklists. The blacklists are usually categorized, and with squidguard, you can choose which categories to block and which to allow. As an example, a pf rule that would force port 80 traffic through transparent squid running on port 3128 is: rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 - Dave On Fri, Aug 19, 2011 at 6:33 AM, Greg Hennessy wrote: > > Recently it has come to our attention that bandwidth has become an issue > > with increased spotify usage throughout the company. Im looking for a way > > to block access to it in pf. the rule that i am trying is the following: > > > > table { 78.31.8.0/22, 193.182.8.0/21 } > > block return in quick on $int_if proto tcp from 192.168.1.0/24 to > > > port 4070 > > > > For whatever reason it showing that the rule is working but not really > > working. am i missing something? > > > > Yes, stop trying to plug a leak in a colander by using a match stick. > > Block by default by starting the policy with > > Block log all > > And only allow routed egress to the specific sites and services which are > directly related to a valid business requirement, > Run all browser traffic through a proxy server to categorise and inspect > the content, permitting internet access from the proxy to 80 and 443/tcp > only. > > > For a business that describes itself as 'advanced e-commerce' you guys > should know this already, this is not rocket science. > > With an open door flapping in the breeze as suggested above. If I was to > speculate, I would suggest that Spotify is the least problem you should > worry about right now. > > > > > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > -- David Andrzejewski http://davidandrzejewski.me http://www.davidandrzejewski.com