[PLUG] Proxyless firewalling of https...

[Michael C Robinson]

I know you can do sslbump and splice and filter https, when it works  
and where it's legal.

Can you accomplish the same thing without going through a proxy at all?

I'm thinking of the following use case:

      1) An https request for foo.bar.com comes into a Linux based  
iptables gateway firewall.

      2) There is an iptables firewall prerouting intercept of all  
https packets on the router.

      3) The packet is evaluated by a shell script at the application  
layer for foo.bar.com
         against lists of site names, black and white.

      4) Assume that the foo.bar.com name is found on the blacklist.

      5) Block the request.

Notice that what I'm thinking doesn't involve squid at all.  The  
reason is, sslbump and splice
will break most sites.  There is also the issue that it isn't legal in  
some jurisdictions to
intercept https.

One option is an iptables firewall that by default blocks https with a  
chain containing destinations
that are allowed https.  Keeping this chain up to date could be  
problematic.  This simple approach
doesn't offer a safe means to expand the list, such as accessing  
unknown site https through a
filtering proxy.

If there is a way to filter through squid https without replacing the  
remote certificate, I'd like
to know about it.

Obviously, my use case will be different if foo.bar.com is the credit  
union for example off of the white list.
Then 4 and 5 change where 5 becomes allow a standard https connection  
without a proxy in between.  Think, this connection will utilize  
masquerading.

Even if I can legally run https through squid, I can save on bandwidth  
if I have a blacklist and whitelist.
If I'm hooking to a legitimate site, I don't need to go through a  
proxy at all.  Most https connections
fail if you go through squid.  There's no good reason to filter known  
good sites.

It doesn't help that no screen accountability apps work in Linux and  
that none of them are free.  I actually
prefer to be in a Linux environment over Windows and MacOS-X, but I  
struggle with bad surfing habits.  The only solution is a change of  
habit, but crutches will be helpful as the habit stubbornly remains.   
I cannot give up the Internet completely, I have email server out on  
it and how will I keep Linux up to date?  I also have to access  
financial institutions and there is legitimate surfing for legitimate  
research.

I want to be able to do what I legitimately do and have accountability  
with filtering.  Once the server is set up, my wife should be the only  
one who can grant access ro it.

While on the subject, I have not gotten transparent proxying to work  
so I'm using web security currently through explicit proxy settings in  
firefox.  What is a socks host?