[gentoo-user] Something firewall-ish

[gentoo-user] Something firewall-ish

[meino.cramer]

Hi,

this question is not related to a fully fledged,
big local area network with DMZs and such.

Even the word "firewall" seems to be a little too
"huge and mighty" in this context to me.

"The network" consists of a PC, which is connected
to a FritzBox (cable, no Wifi/WLAN), which connects
to the ISP (internet) and (same adress range) to a
embedded system (eth1)

There are two additional embedded systems, both on
a separate interface (eth over usb: usb0 & usb1).

I want to block (DROP or REJECT) the access to certain
sites (the "noise" which is produced mostly by sites,
which all exclusively "only want my best": ads, trackers, analysts
and so on...)

I tried different tools: fwbuilder, which locks up either itsself
or my rulesset...I had to reboot and Shorewall, which definitely
is a great tool....a little too great tool and much more capable
as I am... ;)

I am sure that the problems are mostly not the problems of the
tools but mine.

Is there any simple straight forward tool to just block accesses
to certain sites?

Best regards,
Meino

Re: [gentoo-user] Something firewall-ish

[Emanuele Rusconi]

On 15 December 2014 at 17:47,  <meino.cramer@gmx.de> wrote:
>
> Is there any simple straight forward tool to just block accesses
> to certain sites?
>

Hi, I'm absolutely a noob or even less about this subject, but lately I
stumbled into a thread on the forum that might be interesting to you:

https://forums.gentoo.org/viewtopic-t-999422-highlight-.html

--
Emanuele

Re: [gentoo-user] Something firewall-ish

[meino.cramer]

Emanuele Rusconi <emarsk@gmail.com> [14-12-15 18:24]:
> On 15 December 2014 at 17:47,  <meino.cramer@gmx.de> wrote:
> >
> > Is there any simple straight forward tool to just block accesses
> > to certain sites?
> >
> 
> Hi, I'm absolutely a noob or even less about this subject, but lately I
> stumbled into a thread on the forum that might be interesting to you:
> 
> https://forums.gentoo.org/viewtopic-t-999422-highlight-.html
> 
> --
> Emanuele
> 

Hi Emanuele,

interesting stuff...thank you!

But it does not work as exspected: With wireshark
I still see the crypted traffic for example to
secure.informaction com and s3-1.amazonaws.com
by starting firefox and doing nothing more (homepage
is a blank page...).

So I need bigger weapons...

Any other idea?

Best regards,
Meino

Re: [gentoo-user] Something firewall-ish

[Walter Dnes]

[-- Attachment #1: Type: text/plain, Size: 2046 bytes --]

On Mon, Dec 15, 2014 at 07:14:26PM +0100, meino.cramer@gmx.de wrote

> But it does not work as exspected: With wireshark I still see
> the crypted traffic for example to secure.informaction com and
> s3-1.amazonaws.com by starting firefox and doing nothing more
> (homepage is a blank page...).
> 
> So I need bigger weapons...

  First, get the IP addresses...

[d531][waltdnes][~] nslookup s3-1.amazonaws.com
Server:         208.67.222.222
Address:        208.67.222.222#53

Non-authoritative answer:
Name:   s3-1.amazonaws.com
Address: 54.231.1.0

[d531][waltdnes][~] nslookup secure.informaction.com
Server:         208.67.222.222
Address:        208.67.222.222#53

Non-authoritative answer:
Name:   secure.informaction.com
Address: 82.103.140.40
Name:   secure.informaction.com
Address: 82.103.140.42
Name:   secure.informaction.com
Address: 69.195.141.179
Name:   secure.informaction.com
Address: 69.195.141.178

  With that info in hand, add the following at the top of your iptables
"OUTPUT" chain...

-A OUTPUT -d 69.195.141.178/31 -j DROP
-A OUTPUT -d 82.103.140.40/30 -j DROP
-A OUTPUT -d 54.231.1.0/32 - j DROP

  The first one drops 69.195.141.178 and 69.195.141.179.  The second one
drops 82.103.140.40, 82.103.140.41, 82.103.140.42, and 82.103.140.43.
The third one drops 54.231.1.0.

  The Amazon cloud service covers 54.230.0.0/15.  If s3-1.amazonaws.com
is "dynamic", you may have to block that entire range.

  For those of you who are interested, I'm attaching a copy of my
/var/lib/iptables/rules-save which is tweaked for my LAN.  Note the
following...
* this is a paranoid ruleset for general client end-users only.  It will
  *NOT* work for a server
* the 192.168.x.y addresses are for my internal LAN
* the 169.254.0.0/16 range is for my HDHomerun OTA TV tuner
* "the "FECESBOOK" rules block Facebook, coming and going.  Firefox
  spins its wheels for several seconds "Connecting to facebook.com",
  before giving up.

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

[-- Attachment #2: rules-save.gz --]
[-- Type: application/octet-stream, Size: 974 bytes --]

Re: [gentoo-user] Something firewall-ish

[Alan McKinnon]

On 15/12/2014 18:47, meino.cramer@gmx.de wrote:
> Hi,
> 
> this question is not related to a fully fledged,
> big local area network with DMZs and such.
> 
> Even the word "firewall" seems to be a little too
> "huge and mighty" in this context to me.
> 
> "The network" consists of a PC, which is connected
> to a FritzBox (cable, no Wifi/WLAN), which connects
> to the ISP (internet) and (same adress range) to a
> embedded system (eth1)
> 
> There are two additional embedded systems, both on
> a separate interface (eth over usb: usb0 & usb1).
> 
> I want to block (DROP or REJECT) the access to certain
> sites (the "noise" which is produced mostly by sites,
> which all exclusively "only want my best": ads, trackers, analysts
> and so on...)
> 
> I tried different tools: fwbuilder, which locks up either itsself
> or my rulesset...I had to reboot and Shorewall, which definitely
> is a great tool....a little too great tool and much more capable
> as I am... ;)
> 
> I am sure that the problems are mostly not the problems of the
> tools but mine.
> 
> Is there any simple straight forward tool to just block accesses
> to certain sites?



to do it network-wide: squid

to do it on a per-pc per-browser basis: there's a large variety of
firefox plugins to chose from that will block this and allow that. It
seems to me this is the better approach as you want to stop your browser
chatting with sites who only have your best interest at heart :-)


Either way, the list of black and white lists gets very big very quick,
so chose your tool carefully. Try a bunch and pick one that makes sense
to you, bonus points if it comes with a community-supported blacklist
you can drop in, maintained by people whose POV matches your own.

You don't want a classic firewall for this; firewalls are mostly built
to block based on address and port, this is not how you solve your problem

-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] Something firewall-ish

[meino.cramer]

Alan McKinnon <alan.mckinnon@gmail.com> [14-12-16 03:43]:
> On 15/12/2014 18:47, meino.cramer@gmx.de wrote:
> > Hi,
> > 
> > this question is not related to a fully fledged,
> > big local area network with DMZs and such.
> > 
> > Even the word "firewall" seems to be a little too
> > "huge and mighty" in this context to me.
> > 
> > "The network" consists of a PC, which is connected
> > to a FritzBox (cable, no Wifi/WLAN), which connects
> > to the ISP (internet) and (same adress range) to a
> > embedded system (eth1)
> > 
> > There are two additional embedded systems, both on
> > a separate interface (eth over usb: usb0 & usb1).
> > 
> > I want to block (DROP or REJECT) the access to certain
> > sites (the "noise" which is produced mostly by sites,
> > which all exclusively "only want my best": ads, trackers, analysts
> > and so on...)
> > 
> > I tried different tools: fwbuilder, which locks up either itsself
> > or my rulesset...I had to reboot and Shorewall, which definitely
> > is a great tool....a little too great tool and much more capable
> > as I am... ;)
> > 
> > I am sure that the problems are mostly not the problems of the
> > tools but mine.
> > 
> > Is there any simple straight forward tool to just block accesses
> > to certain sites?
> 
> 
> 
> to do it network-wide: squid
> 
> to do it on a per-pc per-browser basis: there's a large variety of
> firefox plugins to chose from that will block this and allow that. It
> seems to me this is the better approach as you want to stop your browser
> chatting with sites who only have your best interest at heart :-)
> 
> 
> Either way, the list of black and white lists gets very big very quick,
> so chose your tool carefully. Try a bunch and pick one that makes sense
> to you, bonus points if it comes with a community-supported blacklist
> you can drop in, maintained by people whose POV matches your own.
> 
> You don't want a classic firewall for this; firewalls are mostly built
> to block based on address and port, this is not how you solve your problem
> 
> -- 
> Alan McKinnon
> alan.mckinnon@gmail.com
> 

Hi Alan,

thanks for reply! :)

actually the thing is: There is a plugin called "NoScript" which
constantly accesses secure.informaction.com, which is the author
of this plugin.
I tried a lot to block that access from inside firefox but did
not find a way to do so (read: _I_ did not find... ;)

If you know a plugin for firefox which is able to block accesses
from all other plugins to certain sites of the internet I would
be happy to check that out.

I tried to block the accesses via iptable rules which DROP/REJECT
the name and the IP-address of that site...no chance.

The IP has not changed of that site...

Wireshark still reports traffic to and from that site and following
the TCP stream with wireshark shows, that the traffic has encrypted
contents.

The other access, which origin I haven't located exactly yet (its
origin is in firefox (a plugin I think), is to
s3-1.amazonaws.com. 
I also want to block this.

Please what is the plugin of the large variety of plugins, which is
able to block access of all other plugins to customer defined sites?

Thank you very much in advance for any help.

Best regards,
Meino

[gentoo-user] Re: Something firewall-ish

[»Q«]

On Tue, 16 Dec 2014 05:02:40 +0100
meino.cramer@gmx.de wrote:

> actually the thing is: There is a plugin called "NoScript" which
> constantly accesses secure.informaction.com, which is the author
> of this plugin.
> I tried a lot to block that access from inside firefox but did
> not find a way to do so (read: _I_ did not find... ;)

<http://hackademix.net/2010/07/28/abe-patrols-the-routes-to-your-routers/>
explains the connection and how to disable it in NoScript's options.

Re: [gentoo-user] Re: Something firewall-ish

[meino.cramer]

»Q« <boxcars@gmx.net> [14-12-16 05:28]:
> On Tue, 16 Dec 2014 05:02:40 +0100
> meino.cramer@gmx.de wrote:
> 
> > actually the thing is: There is a plugin called "NoScript" which
> > constantly accesses secure.informaction.com, which is the author
> > of this plugin.
> > I tried a lot to block that access from inside firefox but did
> > not find a way to do so (read: _I_ did not find... ;)
> 
> <http://hackademix.net/2010/07/28/abe-patrols-the-routes-to-your-routers/>
> explains the connection and how to disable it in NoScript's options.
> 
> 

Hi Q,

very interesting page...thank you!
Its the stuff I like ;)

What is the difference between NoScript saying "the access to
secure.informaction.com is completly anonymous" and
anyone else stating this?
Since the access is encrypted I cannot check its contents.
And how is it possible to send back an answer, if my
IP-address isn't offered (that is: "completly anonymous")?

Do you know anything about the other address and its origin:
    s3-1.amazonaws.com

? It has something to do with a cloud service of Amazon...
But what could be the origin of this one ... ?

Best regards,
Meino

[gentoo-user] Re: Something firewall-ish

[»Q«]

On Tue, 16 Dec 2014 05:46:17 +0100
meino.cramer@gmx.de wrote:

> »Q« <boxcars@gmx.net> [14-12-16 05:28]:
> > On Tue, 16 Dec 2014 05:02:40 +0100
> > meino.cramer@gmx.de wrote:
> > 
> > > actually the thing is: There is a plugin called "NoScript" which
> > > constantly accesses secure.informaction.com, which is the author
> > > of this plugin.
> > > I tried a lot to block that access from inside firefox but did
> > > not find a way to do so (read: _I_ did not find... ;)
> > 
> > <http://hackademix.net/2010/07/28/abe-patrols-the-routes-to-your-routers/>
> > explains the connection and how to disable it in NoScript's options.
> > 
> > 
> 
> Hi Q,
> 
> very interesting page...thank you!
> Its the stuff I like ;)
> 
> What is the difference between NoScript saying "the access to
> secure.informaction.com is completly anonymous" and
> anyone else stating this?
> Since the access is encrypted I cannot check its contents.
> And how is it possible to send back an answer, if my
> IP-address isn't offered (that is: "completly anonymous")?

I'm sorry, I don't know.  I don't use NoScript -- I just remembered
reading that the NoScript author had blogged about that connection so
was able to google the page.  

Re: [gentoo-user] Re: Something firewall-ish

[J. Roeleveld]

On Tuesday, December 16, 2014 05:46:17 AM meino.cramer@gmx.de wrote:
> »Q« <boxcars@gmx.net> [14-12-16 05:28]:
> > On Tue, 16 Dec 2014 05:02:40 +0100
> > 
> > meino.cramer@gmx.de wrote:
> > > actually the thing is: There is a plugin called "NoScript" which
> > > constantly accesses secure.informaction.com, which is the author
> > > of this plugin.
> > > I tried a lot to block that access from inside firefox but did
> > > not find a way to do so (read: _I_ did not find... ;)
> > 
> > <http://hackademix.net/2010/07/28/abe-patrols-the-routes-to-your-routers/>
> > explains the connection and how to disable it in NoScript's options.
> 
> Hi Q,
> 
> very interesting page...thank you!
> Its the stuff I like ;)
> 
> What is the difference between NoScript saying "the access to
> secure.informaction.com is completly anonymous" and
> anyone else stating this?
> Since the access is encrypted I cannot check its contents.
> And how is it possible to send back an answer, if my
> IP-address isn't offered (that is: "completly anonymous")?

For any connection between 2 computers, both will always know the IP address 
of the other. (when using TCP/IP)

All that site does, according to the blogpost, is reply with "your IP is: xx"

There are other sites that offer a similar service and it's commonly used when 
you need to know the external IP. (Dyndns-scripts use it as well)

> Do you know anything about the other address and its origin:
>     s3-1.amazonaws.com
> 
> ? It has something to do with a cloud service of Amazon...
> But what could be the origin of this one ... ?

Any plugin you have installed.
I've got that blocked in my firewall due to a large amount of SSH accesses in 
my logs.

--
Joost

Re: [gentoo-user] Something firewall-ish

[Alan McKinnon]

On 16/12/2014 06:02, meino.cramer@gmx.de wrote:
> 
> 
> Alan McKinnon <alan.mckinnon@gmail.com> [14-12-16 03:43]:
>> On 15/12/2014 18:47, meino.cramer@gmx.de wrote:
>>> Hi,
>>>
>>> this question is not related to a fully fledged,
>>> big local area network with DMZs and such.
>>>
>>> Even the word "firewall" seems to be a little too
>>> "huge and mighty" in this context to me.
>>>
>>> "The network" consists of a PC, which is connected
>>> to a FritzBox (cable, no Wifi/WLAN), which connects
>>> to the ISP (internet) and (same adress range) to a
>>> embedded system (eth1)
>>>
>>> There are two additional embedded systems, both on
>>> a separate interface (eth over usb: usb0 & usb1).
>>>
>>> I want to block (DROP or REJECT) the access to certain
>>> sites (the "noise" which is produced mostly by sites,
>>> which all exclusively "only want my best": ads, trackers, analysts
>>> and so on...)
>>>
>>> I tried different tools: fwbuilder, which locks up either itsself
>>> or my rulesset...I had to reboot and Shorewall, which definitely
>>> is a great tool....a little too great tool and much more capable
>>> as I am... ;)
>>>
>>> I am sure that the problems are mostly not the problems of the
>>> tools but mine.
>>>
>>> Is there any simple straight forward tool to just block accesses
>>> to certain sites?
>>
>>
>>
>> to do it network-wide: squid
>>
>> to do it on a per-pc per-browser basis: there's a large variety of
>> firefox plugins to chose from that will block this and allow that. It
>> seems to me this is the better approach as you want to stop your browser
>> chatting with sites who only have your best interest at heart :-)
>>
>>
>> Either way, the list of black and white lists gets very big very quick,
>> so chose your tool carefully. Try a bunch and pick one that makes sense
>> to you, bonus points if it comes with a community-supported blacklist
>> you can drop in, maintained by people whose POV matches your own.
>>
>> You don't want a classic firewall for this; firewalls are mostly built
>> to block based on address and port, this is not how you solve your problem
>>
>> -- 
>> Alan McKinnon
>> alan.mckinnon@gmail.com
>>
> 
> Hi Alan,
> 
> thanks for reply! :)
> 
> actually the thing is: There is a plugin called "NoScript" which
> constantly accesses secure.informaction.com, which is the author
> of this plugin.
> I tried a lot to block that access from inside firefox but did
> not find a way to do so (read: _I_ did not find... ;)
> 
> If you know a plugin for firefox which is able to block accesses
> from all other plugins to certain sites of the internet I would
> be happy to check that out.

I don't know of a plugin that specifically does that; I do know that
there are Firefox plugins for just about anything you could imagine,
that's why I made the suggestion


> 
> I tried to block the accesses via iptable rules which DROP/REJECT
> the name and the IP-address of that site...no chance.
> 
> The IP has not changed of that site...
> 
> Wireshark still reports traffic to and from that site and following
> the TCP stream with wireshark shows, that the traffic has encrypted
> contents.

That indicates something wrong with your iptables rules.

iptables works at the lowest level of the network stack (very little if
anything can bypass it) and wireshark works by reading the network
interface directly in promiscuous mode. The traffic you see probably
doesn't have a iptables rule to catch it. There are 4 addresses for that
domain name, did you incluce them all in the rule?

# dig secure.informaction.com +short
82.103.140.42
82.103.140.40
69.195.141.179
69.195.141.178



> 
> The other access, which origin I haven't located exactly yet (its
> origin is in firefox (a plugin I think), is to
> s3-1.amazonaws.com. 
> I also want to block this.
> 
> Please what is the plugin of the large variety of plugins, which is
> able to block access of all other plugins to customer defined sites?

As I said above, I don't track plugins too closely, so I don't know.
But someone else on this list will, lots of knowledgeable people around
here :-)




-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] Something firewall-ish

[thegeezer]

On 15/12/14 20:39, Alan McKinnon wrote:
> On 15/12/2014 18:47, meino.cramer@gmx.de wrote:
>> Hi,
>>
>> this question is not related to a fully fledged,
>> big local area network with DMZs and such.
>>
>> Even the word "firewall" seems to be a little too
>> "huge and mighty" in this context to me.
>>
>> "The network" consists of a PC, which is connected
>> to a FritzBox (cable, no Wifi/WLAN), which connects
>> to the ISP (internet) and (same adress range) to a
>> embedded system (eth1)
>>
>> There are two additional embedded systems, both on
>> a separate interface (eth over usb: usb0 & usb1).
>>
>> I want to block (DROP or REJECT) the access to certain
>> sites (the "noise" which is produced mostly by sites,
>> which all exclusively "only want my best": ads, trackers, analysts
>> and so on...)
>>
>> I tried different tools: fwbuilder, which locks up either itsself
>> or my rulesset...I had to reboot and Shorewall, which definitely
>> is a great tool....a little too great tool and much more capable
>> as I am... ;)
>>
>> I am sure that the problems are mostly not the problems of the
>> tools but mine.
>>
>> Is there any simple straight forward tool to just block accesses
>> to certain sites?
>
>
> to do it network-wide: squid

+1
and not in transparent mode either -- if you have a proxy server set
then https traffic is filtered by domain name as it is part of the proxy
connection request.
squid + squidGuard / dansguardian   is the way forward.
for examle, in my "advertisers/tracking" database there are some 12
thousand domains listed.   good luck adding those individually to iptables.

the only other way to do things super paranoidly is by whitelisting
i.e. on the router just keep adding ip and port to whitelist table for
those you _want_
iptables -N whitelist
iptables -A whitelist -d 8.8.8.8 -m udp --dport 53 -j ACCEPT

iptables -A FORWARD -i LAN -o WAN -j whitelist
iptables -A FORWARD -J REJECT

this takes longer to "start" but is easier to maintain, as facebook for
example are constantly buying ip ranges and adding them to their global
domination, so you start by thinking you have blocked all 100 facebook
ip addresses and then a month or two later discover they have another
200 you need to block
>
> to do it on a per-pc per-browser basis: there's a large variety of
> firefox plugins to chose from that will block this and allow that. It
> seems to me this is the better approach as you want to stop your browser
> chatting with sites who only have your best interest at heart :-)
>
>
> Either way, the list of black and white lists gets very big very quick,
> so chose your tool carefully. Try a bunch and pick one that makes sense
> to you, bonus points if it comes with a community-supported blacklist
> you can drop in, maintained by people whose POV matches your own.
>
> You don't want a classic firewall for this; firewalls are mostly built
> to block based on address and port, this is not how you solve your problem
>

Re: [gentoo-user] Something firewall-ish

[Pandu Poluan]

[-- Attachment #1: Type: text/plain, Size: 3270 bytes --]

On 17:54, Tue, Dec 16, 2014 thegeezer <thegeezer@thegeezer.net> wrote:

On 15/12/14 20:39, Alan McKinnon wrote:
> On 15/12/2014 18:47, meino.cramer@gmx.de wrote:
>> Hi,
>>
>> this question is not related to a fully fledged,
>> big local area network with DMZs and such.
>>
>> Even the word "firewall" seems to be a little too
>> "huge and mighty" in this context to me.
>>
>> "The network" consists of a PC, which is connected
>> to a FritzBox (cable, no Wifi/WLAN), which connects
>> to the ISP (internet) and (same adress range) to a
>> embedded system (eth1)
>>
>> There are two additional embedded systems, both on
>> a separate interface (eth over usb: usb0 & usb1).
>>
>> I want to block (DROP or REJECT) the access to certain
>> sites (the "noise" which is produced mostly by sites,
>> which all exclusively "only want my best": ads, trackers, analysts
>> and so on...)
>>
>> I tried different tools: fwbuilder, which locks up either itsself
>> or my rulesset...I had to reboot and Shorewall, which definitely
>> is a great tool....a little too great tool and much more capable
>> as I am... ;)
>>
>> I am sure that the problems are mostly not the problems of the
>> tools but mine.
>>
>> Is there any simple straight forward tool to just block accesses
>> to certain sites?
>
>
> to do it network-wide: squid

+1
and not in transparent mode either -- if you have a proxy server set
then https traffic is filtered by domain name as it is part of the proxy
connection request.
squid + squidGuard / dansguardian   is the way forward.
for examle, in my "advertisers/tracking" database there are some 12
thousand domains listed.   good luck adding those individually to iptables.

the only other way to do things super paranoidly is by whitelisting
i.e. on the router just keep adding ip and port to whitelist table for
those you _want_
iptables -N whitelist
iptables -A whitelist -d 8.8.8.8 -m udp --dport 53 -j ACCEPT

iptables -A FORWARD -i LAN -o WAN -j whitelist
iptables -A FORWARD -J REJECT

this takes longer to "start" but is easier to maintain, as facebook for
example are constantly buying ip ranges and adding them to their global
domination, so you start by thinking you have blocked all 100 facebook
ip addresses and then a month or two later discover they have another
200 you need to block
>
> to do it on a per-pc per-browser basis: there's a large variety of
> firefox plugins to chose from that will block this and allow that. It
> seems to me this is the better approach as you want to stop your browser
> chatting with sites who only have your best interest at heart :-)
>
>
> Either way, the list of black and white lists gets very big very quick,
> so chose your tool carefully. Try a bunch and pick one that makes sense
> to you, bonus points if it comes with a community-supported blacklist
> you can drop in, maintained by people whose POV matches your own.
>
> You don't want a classic firewall for this; firewalls are mostly built
> to block based on address and port, this is not how you solve your problem
>

You can automate the process by using 'dig' and 'ipset'.

Create an ipset named "Fbook" of type hash:ip, then every 5 minutes run a
script that does a lookup for facebook.com and add the found IP to the
Fbook ipset.


 Rgds,
--

[-- Attachment #2: Type: text/html, Size: 4330 bytes --]