https permit/deny

https permit/deny

[vects]

Hi,

I'm looking for solution of the next problem, I have to enable/disable
an access to list of https web servers, I don't know in advance IPs of
them, permit rule must be based of the url user typed in location bar.

Is possible to do that by iptables and extentions?
I thought about l7 filter.

Any help/hints will be appreciated very much.

Thanks, Alexc. 
 

Re: https permit/deny

[vects]

On Sun, 2007-02-11 at 14:45 -0300, Leonardo Rodrigues Magalhães wrote:
>     Never used l7 for doing that kind of filtering, dont know if it's 
> possible.
> 
>     Anyway, if you need some hard filtering based on URLs, both http and 
> https, i would recommend that you use an http/https proxy, just like 
> squid, for doing that.
> 
>     Completly block https (TCP/443) traffic with iptables and get your 
> clients for use an http/https proxy and does the filtering there. I'm 
> pretty convinced it will be easier and you'll have a lot more 
> flexibility on the rules. Squid's ACLs are pretty flexible, you should 
> give it a try.
Does it work in transparent mode ( I mean for https)? 
I just can't tell all clients to use squid by phone, https filtering
must be hidden for them. As I know the latest squid supports totally
transparent mode, is that working for https also?

Thanks, Alexc.

> 
> 
> vects escreveu:
> > Hi,
> >
> > I'm looking for solution of the next problem, I have to enable/disable
> > an access to list of https web servers, I don't know in advance IPs of
> > them, permit rule must be based of the url user typed in location bar.
> >
> > Is possible to do that by iptables and extentions?
> > I thought about l7 filter.
> >
> >   
> 

Re: https permit/deny

[Leonardo Rodrigues Magalhães]

    Never used l7 for doing that kind of filtering, dont know if it's 
possible.

    Anyway, if you need some hard filtering based on URLs, both http and 
https, i would recommend that you use an http/https proxy, just like 
squid, for doing that.

    Completly block https (TCP/443) traffic with iptables and get your 
clients for use an http/https proxy and does the filtering there. I'm 
pretty convinced it will be easier and you'll have a lot more 
flexibility on the rules. Squid's ACLs are pretty flexible, you should 
give it a try.


vects escreveu:
> Hi,
>
> I'm looking for solution of the next problem, I have to enable/disable
> an access to list of https web servers, I don't know in advance IPs of
> them, permit rule must be based of the url user typed in location bar.
>
> Is possible to do that by iptables and extentions?
> I thought about l7 filter.
>
>   

-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it

Re: https permit/deny

[Leonardo Rodrigues Magalhães]

vects escreveu:
> On Sun, 2007-02-11 at 14:45 -0300, Leonardo Rodrigues Magalhães wrote:
>   
>>     Never used l7 for doing that kind of filtering, dont know if it's 
>> possible.
>>
>>     Anyway, if you need some hard filtering based on URLs, both http and 
>> https, i would recommend that you use an http/https proxy, just like 
>> squid, for doing that.
>>
>>     Completly block https (TCP/443) traffic with iptables and get your 
>> clients for use an http/https proxy and does the filtering there. I'm 
>> pretty convinced it will be easier and you'll have a lot more 
>> flexibility on the rules. Squid's ACLs are pretty flexible, you should 
>> give it a try.
>>     
> Does it work in transparent mode ( I mean for https)? 
> I just can't tell all clients to use squid by phone, https filtering
> must be hidden for them. As I know the latest squid supports totally
> transparent mode, is that working for https also?
>   

    httpS simply cant be treated in completly transparent modes, because 
that would be detected as a 'man-in-the-middle' attack by the browser 
and would break the end-to-end criptography that SSL/TLS uses.

    http can be completly transparent, but https cannot.

    Anyway, if you search the archives, you'll find that it's a common 
opinion that iptables it not the right place, even with layer7 patches, 
to do complex layer7 filtering. It can even do some application 
filtering, but it's not supposed for replacing application proxy tools, 
just like squid for http/https. Complex rules can be applied in an 
easier and more flexible way in the application layer, with an 
appropriate application proxy.

-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@solutti.com.br
	My SPAMTRAP, do not email it

Re: https permit/deny

[vects]

On Sun, 2007-02-11 at 15:42 -0300, Leonardo Rodrigues Magalhães wrote:
> 
> vects escreveu:
> > On Sun, 2007-02-11 at 14:45 -0300, Leonardo Rodrigues Magalhães wrote:
> >   
> >>     Never used l7 for doing that kind of filtering, dont know if it's 
> >> possible.
> >>
> >>     Anyway, if you need some hard filtering based on URLs, both http and 
> >> https, i would recommend that you use an http/https proxy, just like 
> >> squid, for doing that.
> >>
> >>     Completly block https (TCP/443) traffic with iptables and get your 
> >> clients for use an http/https proxy and does the filtering there. I'm 
> >> pretty convinced it will be easier and you'll have a lot more 
> >> flexibility on the rules. Squid's ACLs are pretty flexible, you should 
> >> give it a try.
> >>     
> > Does it work in transparent mode ( I mean for https)? 
> > I just can't tell all clients to use squid by phone, https filtering
> > must be hidden for them. As I know the latest squid supports totally
> > transparent mode, is that working for https also?
> >   
> 
>     httpS simply cant be treated in completly transparent modes, because 
> that would be detected as a 'man-in-the-middle' attack by the browser 
> and would break the end-to-end criptography that SSL/TLS uses.
agree.

> 
>     http can be completly transparent, but https cannot.
I have to find some other solution for my task, sounds like iptables
with l7 is the one for me. 
Does somebody know another list I can ask for help?

> 
>     Anyway, if you search the archives, you'll find that it's a common 
> opinion that iptables it not the right place, even with layer7 patches, 
> to do complex layer7 filtering. It can even do some application 
> filtering, but it's not supposed for replacing application proxy tools, 
> just like squid for http/https. Complex rules can be applied in an 
> easier and more flexible way in the application layer, with an 
> appropriate application proxy.
As I said I have some condition, I can't contact customers and ask them
to define proxy server, this prevents me to use application proxy for
https. 

Thanks, Alexc
 

Re: https permit/deny

[Frank Petran]

On Tuesday 13 February 2007 08:28, vects wrote:
> As I said I have some condition, I can't contact customers and ask them
> to define proxy server, this prevents me to use application proxy for
> https.
Why don't you just setup an automatic proxy configuration? All, the customer 
needs to do than, is to select "automatic proxy discovery" in his/her 
Browser. The Internet Explorer, which most people tend to use anyway, already 
has this preconfigured.