[PLUG] Proxyless firewalling of https...
Michael C Robinson
michael at robinson-west.com
Sun Feb 23 19:05:04 UTC 2020
I know you can do sslbump and splice and filter https, when it works
and where it's legal.
Can you accomplish the same thing without going through a proxy at all?
I'm thinking of the following use case:
1) An https request for foo.bar.com comes into a Linux based
iptables gateway firewall.
2) There is an iptables firewall prerouting intercept of all
https packets on the router.
3) The packet is evaluated by a shell script at the application
layer for foo.bar.com
against lists of site names, black and white.
4) Assume that the foo.bar.com name is found on the blacklist.
5) Block the request.
Notice that what I'm thinking doesn't involve squid at all. The
reason is, sslbump and splice
will break most sites. There is also the issue that it isn't legal in
some jurisdictions to
intercept https.
One option is an iptables firewall that by default blocks https with a
chain containing destinations
that are allowed https. Keeping this chain up to date could be
problematic. This simple approach
doesn't offer a safe means to expand the list, such as accessing
unknown site https through a
filtering proxy.
If there is a way to filter through squid https without replacing the
remote certificate, I'd like
to know about it.
Obviously, my use case will be different if foo.bar.com is the credit
union for example off of the white list.
Then 4 and 5 change where 5 becomes allow a standard https connection
without a proxy in between. Think, this connection will utilize
masquerading.
Even if I can legally run https through squid, I can save on bandwidth
if I have a blacklist and whitelist.
If I'm hooking to a legitimate site, I don't need to go through a
proxy at all. Most https connections
fail if you go through squid. There's no good reason to filter known
good sites.
It doesn't help that no screen accountability apps work in Linux and
that none of them are free. I actually
prefer to be in a Linux environment over Windows and MacOS-X, but I
struggle with bad surfing habits. The only solution is a change of
habit, but crutches will be helpful as the habit stubbornly remains.
I cannot give up the Internet completely, I have email server out on
it and how will I keep Linux up to date? I also have to access
financial institutions and there is legitimate surfing for legitimate
research.
I want to be able to do what I legitimately do and have accountability
with filtering. Once the server is set up, my wife should be the only
one who can grant access ro it.
While on the subject, I have not gotten transparent proxying to work
so I'm using web security currently through explicit proxy settings in
firefox. What is a socks host?
More information about the PLUG
mailing list