How to limit/disable the upload on the network

Question

I wish to make a secure environment and to block uploading to any destination on the Internet, how can I achieve that using pfSense.

Does pfSense is the right tool for it?

I tried to limit the upload to 8 bits per second and I can not download right now (it's also got limited).

Does squid can be a good solution for what I searched for?

ps I still want to download files via git, http, https, ssh for example yarn install and "composer install" should work.

The goal is to block upload of files outside from the pfSense.

Answer 1

If you're using PFsense like you mentioned. I think this video will help you.

It's a basic tutorial on limiters, hope this helps!

Answer 2

tl;dr: You can't! But you can use trickle

Explanation

Since every time we create a tcp session - we upload data to the internet, and it doesn't matter if its a 3-way-handshake , http request or post a file to the server, you can not have the ability of creating a session without being able to upload data to the internet. What you can do- is limit the bandwidth per application.

Workaround 1

You can use trickle.

sudo apt-get install trickle

You can limit upload/download for a specific app by running

trickle -u (upload limit in KB/s) -d (download limit in KB/s) application

This way you can limit http/other applications, but still being able to use git.

Workaround 2

Another way to Deny all application from accessing the internet, and allow only applications by exception.

Answer 3

in short, you can't do it with stock pf sense,

You'll need a firewall which can inspect SSL and SSH,

You can run squid proxy on pfsense, and that can sslbump. which can be used to inspect HTTPS traffic. and with squid you can block file upload, for http (and https with sslbump)

If you want to inspect SSH and limit file upload via SSH,

you'll need a Palo Alto or a Fortigate or another next-gen firewall which can inspect SSH.