Block torrents, file hosting urls using PF and Relayd

Considering the following network...

 

 

Please, first read the man pages : PF.CONF(5), PFCTL(8), RELAYD.CONF(5), RELAYCTL(8), and SSL(8)

 

It is essential, to have network cards (/etc/hostname.xxx), gateway (/etc/mygate), and DNS resolver (/etc/resolv.conf) configured before start this How-To.

 

What we want to achieve ?

 

Block « File Hosting » websites like 1fichier.com, uptobox.com, mega.co.nz … All the urls we want to block are located in a file /etc/filehosting, as a blacklist. And also block torrents use in our network.

Here a sample for the file /etc/filehosting :

mega.co.nz/

uploaded.net/

uptobox.com/

/etc/pf.conf

 

# We declare bad hosts (some RFC like 1918…)

martians="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, \

 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/24 }"

 

# We don’t need to load fingerprints

set fingerprints "/dev/null"

 

# No filters on loopback

set skip on lo

 

# NAT

match out on egress inet from lan:network to any nat-to egress

 

# Normalize packets

match in all scrub (no-df max-mss 1440)

 

# Policy : we block all and log

block log all

 

# Protection antispoof

antispoof for {egress,lan}

 

# We deny bad hosts

block in quick on egress from $martians

 

# We trust out on WAN

pass out on egress

 

# Redirect www traffic from our lan to relayd on port 8080

pass in quick inet proto tcp from lan:network to any port www \

  divert-to localhost port 8080

 

# Redirect https traffic from our lan to relayd on port 8443

pass in quick inet proto tcp from lan:network to any port https \

  divert-to localhost port 8443

 

# We allow our network to use DNS resolution

pass in on lan inet proto {udp,tcp} \

  from lan:network to any port domain

 

# We allow pings

pass in on lan inet proto icmp from lan:network to any \

  icmp-type echoreq

Reload pf.conf

 

By default pf is enable, you just need to reload the new ruleset :

/sbin/pfctl -vf /etc/pf.conf

Enable relayd, and start it

 

echo relayd_flags= >> /etc/rc.conf.local

/etc/rc.d/relayd start

 

Load Relayd configuration :

/usr/sbin/relayctl load /etc/relayd.conf

 

Verify that relayd listen on 8080 and 8443 :

/usr/bin/netstat -anf inet | grep 127.0.0.1.8 # This will give the following :

tcp          0      0  127.0.0.1.8443         *.*                    LISTEN

tcp          0      0  127.0.0.1.8080         *.*                    LISTEN

Enable IPv4 Routing

 

sysctl net.inet.ip.forwarding=1

And to keep this setting at startup :

 

echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf

/etc/relayd.conf

 

http protocol "no_ssl" {

        return error

        label "File Hosting is banned!"

        request url filter file "/etc/filehosting"

        label "Torrent is banned!"

        response header filter "application/x-bittorrent" from "Content-Type"

}

 

http protocol "with_ssl" {

        return error

        label "File Hosting is banned!"

        request url filter file "/etc/filehosting"

        label "Torrent is banned!"

        response header filter "application/x-bittorrent" from "Content-Type"

        ssl ca key "/etc/ssl/private/ca.key" password "testing_relayd"

        ssl ca cert "/etc/ssl/ca.crt"

}

 

relay "no_ssl_proxy" {

        listen on 127.0.0.1 port 8080

        protocol "no_ssl"

        forward to destination

}

 

relay "with_ssl_proxy" {

        listen on 127.0.0.1 port 8443 ssl

        protocol "with_ssl"

        forward with ssl to destination

Create certificates for relayd

 

Create CA key and Certificate :

openssl req -x509 -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ca.key -out /etc/ssl/ca.crt

I chose « testing_relayd » as password, you will need it in relayd.conf file, and the « ca.crt » need to be installed on all the computers in the network (lan).

 

 

Create an SSL server key and certificate for 127.0.0.1 :

openssl genrsa -out /etc/ssl/private/127.0.0.1.key 2048

 

Generate a Certificate Signing Request (CSR)

openssl req -new -key /etc/ssl/private/127.0.0.1.key \

             -out /etc/ssl/private/127.0.0.1.csr

 

Sign the key yourself :

openssl x509 -sha256 -req -days 365 \

             -in /etc/ssl/private/127.0.0.1.csr \

             -signkey /etc/ssl/private/127.0.0.1.key \

             -out /etc/ssl/127.0.0.1.crt

And here the result :
Replacing label "File Hosting is banned!" to label "<img src='http://www.openbsd.org/art/puffy/puflogv100X65.gif'/>"

© Copyright 2013

contact : wesley [at] mouedine [dot] net