From: "K. de Jong" <kees.dejong@neobits.nl>
To: netfilter <netfilter@vger.kernel.org>
Subject: Re: Filter based on string (or other content)
Date: Sun, 13 Sep 2020 12:59:35 +0200 [thread overview]
Message-ID: <e2df420904ad798ffef01c7efc895bd38fbcb428.camel@neobits.nl> (raw)
In-Reply-To: <55b116c5-5b29-f4bc-24ad-6d55a74a71c8@hajes.org>
[-- Attachment #1: Type: text/plain, Size: 2038 bytes --]
On Sat, 2020-09-12 at 17:45 +0200, david@hajes.org wrote:
> sounds like Layer-7 filtering.
>
> There is something similar what you seek
> <
> https://serverfault.com/questions/998962/nftables-support-string-matching-support>
>
That indeed looks like what I'm trying to do. I fiddled around with it,
but it's very different than the iptables method of simply provide a
filter for a string and iptables will parse headers for it and block
anything that matches.
I tried it with nftables, by putting this in there for the output chain
on my laptop:
chain output {
ct state invalid drop
meta l4proto tcp @th,160,128 0x0970726f787970697065036e657400 counter
drop comment "block queries for proxypipe.net"
type filter hook output priority 0; policy accept;
oifname "lo" accept
ip6 daddr $ipv4_rfc3964 log prefix "6TO4_REJECT: " counter reject
with icmpv6 type addr-unreachable comment "Reject 6to4 (RFC3964)"
}
But it doesn't block anything in Chrome when I visit proxypipe.net. And
I'm just guessing at this point because these nftable options are way
more complex than iptables. The example from server fault is about
blocking DNS UDP requests to that website. But what I want to do is
block web requests. Which worked fine for Facebook with iptables. And
was easy to setup.
Could someone guide me towards the right direction? Simply blocking DNS
requests won't cut it, since I want to deny the website on specific
days and time ranges. If facebook.com is still in the DNS cache, it
will load the website. I have my own (unbound) recursive resolver, so
blocking Facebook entirely is no issue in terms of a DNS block. But the
thing is, I sometimes would like to allow Facebook on a firewall level.
That way I can enforce it for my phone via VPN as well. There are apps
for this as well. And Android has something builtin to limit website
visit time with Digital Wellbeing. But I prefer to have this central
solution.
Any suggestions or more specific examples for this use case?
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
prev parent reply other threads:[~2020-09-13 10:59 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-12 13:41 Filter based on string (or other content) K. de Jong
2020-09-13 0:45 ` Duncan Roe
2020-09-13 8:49 ` G.W. Haywood
2020-09-14 4:17 ` Duncan Roe
[not found] ` <55b116c5-5b29-f4bc-24ad-6d55a74a71c8@hajes.org>
2020-09-13 10:59 ` K. de Jong [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e2df420904ad798ffef01c7efc895bd38fbcb428.camel@neobits.nl \
--to=kees.dejong@neobits.nl \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.