Idefix technology (English)

De Idefix
Révision datée du 27 août 2019 à 08:01 par Dysmas (discussion | contributions) (Page créée avec « ==Idefix== The basic question : how to filter https connections ? ==Setup the network== We need two Ethernet ports. Eth0 : nothing to do, it should be in dhcp Eth1 will... »)
(diff) ← Version précédente | Voir la version actuelle (diff) | Version suivante → (diff)
Sauter à la navigation Sauter à la recherche

Idefix

The basic question : how to filter https connections ?

Setup the network

We need two Ethernet ports. Eth0 : nothing to do, it should be in dhcp Eth1 will be an authoritative dhcp server. Disable Network Manager control on this port Managed = false in networkmanager.conf Eth1 definition in /etc/network/interfaces.d Setup the server Install isc-dhcp-server Configure in dhcpd.conf

Setup the router and firewall

This is done in nftables header. A classical configuration creates the router. Policy drop on input, creates the firewall. Routing the port 53 towards 5353 creates the firt step of the filter, because all DNS queries will be routed to Unbound. Setup the filter We use Unbound, a DNS resolver, which has the property of allowing the execution of a python script in the middle of the process. This script will make decisions based on the IP address of the sender and the domain required. If the domain is not allowed for this user, the request is dropped. Unbound is installed with a classical configuration, and two important settings : Port = 5353 : this will ask Unbound to listen to this port In the end of the script, the definition of the python script (unbound-filter.py) and his place in the program workflow : validator – python script – iterator.

Setup Idefix

Setup Supervix

The companion : Confix