How to block outbound traffic to single IP(s)

Murus
Post Reply
Seven709
Posts: 3
Joined: Sun Jan 07, 2018 6:47 pm

How to block outbound traffic to single IP(s)

Post by Seven709 » Sun Jan 07, 2018 7:07 pm

Hi all,

I'm using Murus now for quite some time but until now, only to block unwanted inbound traffic. Which worked quite well so far.

However, today I tried to establish a very simply outbound rule and failed almost epic. Basically, I want to allow all outbound traffic but block traffic to a handful of (public) IP addresses. No specific service/port is necessary, just completely block it.

So far it tired every possible combinations between the "All Services" group, various Custom Groups and explicit Custom PF rules. I rebooted the mac several times, all to no avail. The mac is running with 10.11.6 (El Capitan) and Murus Pro 1.4.13.

I'm almost sure that I do something wrong but I'm currently not able to see my error. Any advice in this matter is very much appreciated.

regards

hany
Posts: 454
Joined: Wed Dec 10, 2014 5:20 pm

Re: How to block outbound traffic to single IP(s)

Post by hany » Thu Jan 11, 2018 1:37 pm

I suggest you to create a dedicated group for this purpose.
Then edit outbound service ALL SERVICE to add this group to Blocked Groups. Then click PLAY to update runtime pf rules. It should work.
Please note that if some connections to blocked IPs were already established when you click PLAY, those connections will not be closed. This is a normal behavior for stateful firewalls.

Seven709
Posts: 3
Joined: Sun Jan 07, 2018 6:47 pm

Re: How to block outbound traffic to single IP(s)

Post by Seven709 » Fri Jan 12, 2018 6:14 am

Thank you very much for your quick reply.

In fact, that was my first thought as well. And I tried it again right now, and even rebooted the server to really disconnect all sessions. However, it did not work. I'm still noticing connections from my sever to that IP-Address(es).

What makes me wonder is the order of the firewall rules in the configuration pane. The "Allow out any to any" rule is above the "Block out any to "Blocked IPs"" rule. In case the rules were applied top-down then the behavior can be simply explained. On the other hand if rules were applied bottom-up then I have no explanation and it should be blocked as intended.

Seven709
Posts: 3
Joined: Sun Jan 07, 2018 6:47 pm

Re: How to block outbound traffic to single IP(s)

Post by Seven709 » Sat Jan 13, 2018 11:25 am

Today I noticed a somewhat strange behavior.

After all the futile attempts with single IP's I gave my last hope on a try with blocking a complete IP range, in this case a Class C network. And again, immediately after rebooting, I could see successful connections to the "blocked" range.

However, since this night 03:00 am, the firewall started to block all attempts as intended. So it works, but with an 20 hours delay ... Out of curiosity I rebooted my server and again, I see successful connections to the once blocked IP range .. let's wait overnight to see what happens. The application is sending packets every 60 seconds sharp. Maybe this will confuse the firewall somehow in case the application starts sending before the firewall is up and running during starting the OS?

My Outbound configuration is now as follows:
The All Services Group with "all_outbound" as allowed group, and "blocked_outbound as blocked group
"all_outbound" contains 0.0.0.0/0 & ::/0, "blocked_outbound" contains x.x.x.x/24 (obviously x is a placeholder for the true values)

hany
Posts: 454
Joined: Wed Dec 10, 2014 5:20 pm

Re: How to block outbound traffic to single IP(s)

Post by hany » Wed Jan 17, 2018 6:59 pm

everything sounds a bit strange :)
Maybe this will confuse the firewall somehow in case the application starts sending before the firewall is up and running during starting the OS?
look, pf rules are loaded at boot time, that is very "early". I don't know how your testing script works ad when is started. However yes, pf is a stateful firewall (Murus configures it as a stateful firewall), so yes, a connection may pass if it matches an existing pf state even if it should be blocked by a pf rule. But I'm not sure this is your case...

My advice is to leave the "ALL SERVICES" service with default settings (everyone group in Allowed Groups) then add your blocked IP (or network) addresses to the "blocked_hosts" group, which is blacklisted by default.

And, when you realize something is wrong, please try to kill all pf states. You can do it from Murus or from shell (sudo pfctl -k 0.0.0.0/0 -k 0.0.0.0/0). Once killed, your script connection should be subject to current pf runtime ruleset. And if the connection matches a block rule then it will be blocked. If not, you should verify if pf is enabled and if pf ruleset is the correct Murus ruleset.

Post Reply