Allow inbound/outbound anti-virus updates...

Murus
Post Reply
MRSTANG
Posts: 5
Joined: Thu Jan 07, 2016 5:17 pm

Allow inbound/outbound anti-virus updates...

Post by MRSTANG » Fri Jan 08, 2016 8:26 pm

Greeting,
Just getting my feet wet on a test server and I am blocking web access inbound and outbound.
Is there a way to Allow Inbound/Outbound access to certain IP addresses/domains?
We're using Kaspersky and need the ability to run Anti-Virus Updates.
I tried adding the following:

pass in log net proto tcp from {Local Server IP} port {80} to {38.117.98.202} port {80}
pass out log net proto tcp from {Local Server IP} port {80} to {38.117.98.202} port {80}

But the Kaspersky logs say connection cannot be established.
If I disable MURUS the updates run fine.
Any help is appreciated
Thanks
LJS

hany
Posts: 483
Joined: Wed Dec 10, 2014 5:20 pm

Re: Allow inbound/outbound anti-virus updates...

Post by hany » Sat Jan 09, 2016 2:55 pm

pass in log net proto tcp from {Local Server IP} port {80} to {38.117.98.202} port {80}
pass out log net proto tcp from {Local Server IP} port {80} to {38.117.98.202} port {80}
Here there are two mistakes:

the first mistake here is assuming that connections targeting remote port 80 also comes from a local port 80. This is not the case. Source port is usually dynamically assigned. To allow web browsing you should "pass out from my local ip (any source port) to a specific remote ip (port 80) and accept replies."

the second one is not considering pf is by default a stateful firewall, thus not requiring you to manage connections using 2 rules for the 2 directions. Here you just need one rule which will create a pf state which in turn will allow both outgoing outbound http requests AND incoming replies from the remote server.

the resulting custom rule that you should add within Murus Custom Rules panel sounds like that:

Code: Select all

pass out log inet proto tcp from {local server IP} to 38.117.98.202 port 80
Is there a way to Allow Inbound/Outbound access to certain IP addresses/domains?
Please note that in your specific case (allow a local http client app to connect to a remote host to get data from a remote service) you just need to allow OUTBOUND connections. The "incoming" part of this connection (replies from remote server) are *NOT* inbound connections, they are "outbound replies". Please see Murus manual for a more exhaustive (hopefully) explanation of the difference between "incoming" and "inbound", "outgoing" and "outbound" :)


Please let me know if everything is clear! :)

P.S.
please verify twice that your service does use http and not https. If you are not sure just pass both ports 80 and 443, not only 80.

Post Reply