Limit outbound SOCKS proxy requests with pf

otl, 10 months ago

You may be able to do this by specifying a rule with a user. For example, say I connect to puffy.example.org with user otl:

<pre style="background-color:#ffffff;">
<span style="color:#323232;">ssh -D 127.0.0.1:6969 otl@puffy.example.org
</span>

On the remote side, in pf.conf:

<pre style="background-color:#ffffff;">
<span style="color:#323232;">block out proto tcp all from self user otl
</span>

Untested. Curious to see what you come up with! See also pf.conf(5)

wgs, 10 months ago

That’s awesome, I didn’t know you could filter by user ID ! I just tried and it works perfectly. I use the following:

<pre style="background-color:#ffffff;">
<span style="color:#323232;">block out proto { tcp udp } from self to port != domain user otl
</span>

This effectively blocks all outgoing connections for the given user (except DNS, as I want to allow forwarding DNS over SOCKS). Thanks a lot for the quick guidance !

otl, 10 months ago

No worries! I assume you’re the same z3bra who posted on /r/unixporn? If so answering your question quickly is the least I could do; your posts got me back into Linux/Unix for fun during university (studying medical science) in 2014. That got me a job in IT straight out of uni then into software dev. It’s been a wild ride the past 9 years living in both Australia and the Netherlands. So big, big thanks to you!

wgs, 10 months ago

Yeah that’s me, though that was a very long time ago haha. That’s an awesome story, I could never guess simple posts like mines could be that much inspirational ^^ Thanks for sharing !