https://facebook.com not blocked by proxy

[Guest]

[dysmas]

When I use "non transparent proxy", I have instantly access to all the web. This means non transparent proxy will work only if a computer is specially configured to use the proxy. And what if a user is competent enough to change this configuration ? He will get access to anything.
Since you have made a configuration which is close to what I want, could you provide some explanations on where I must search to prevent what I just said : with not transparent, at first, any computer has access to Internet.

[speccompsol]

To use 'non-transparent' proxy, you must also disable (or delete) the outgoing firewall setting for port 80 for the zone that the 'non-transparent' proxy is assigned.  By doing so a computer in the 'non-transparent' zone cannotaccess web pages without using the proxy.

[Monty]

Hi, sorry to reactivate this thread again. I understand fully the nature of the problem with HTTPS and transparent proxies, my question is about endian:

Most of the workarounds for this are simply to read what you can from the packet, (the source/destination addresses) and try to reverse DNS lookup the IP.
IF the IP reverses properly your cache device can apply a rule, or can simply apply a rule based on the source/dest IP's,   but this will not prevent someone from sending their encrypted packets to a foreign proxy for further delivery.

Despite the remaining issues, this is actually what I am after (it is the right solution for the environment I want to deploy it into).

Could anyone tell me how easy it is to implement this with endian? (I.e. just do reverse DNS on the destination address, if it resolves to facebook (etc) domain on a given list - block it.)

Unless the very advanced ones, transparent proxies can't filter out HTTPS by default.

Other than by reverse IP, what other methods are transparent proxies doing?

The paid version of untangle webfilter seems to block HTTPS, but I think it is just doing reverse IP on the packets. Does anyone know for sure?

And again, my main question is how easy is it to setup a reverse DNS block on HTTPS traffic using endian?

[dysmas]

Thanks to @nishith and @speccompsol : using Non transparent proxy is really the good solution to filter https. Just in case it can help others, here is what you have to do :

1) in Firewall/Outgoing traffic, remove the lines which allow traffic on ports 80 and 443.
2) Set proxy to Non transparent
3) in proxy/authentication click "Manage users" and add some users
4) If you want, click "Manage groups" and create some groups
5) In proxy/Access Policy, modify your policies :
      Set Authentication to user based or group based, and select one (or several) user(s) or group(s)

Update.
At this point, no one has access to Internet.

To give access to Internet to a user, you must go to his computer and in Internet Properties / connections / Network settings [in Windows XP, or find equivalent in your OS], you MUST set a proxy, indicating the IP address of your EFW and the port 8080 (if you have kept this value which is the default in EFW).

Now this user, when he want to connect to Internet will receive a small window asking for authentication. He has just to enter it, and he has access to the corresponding policies. https is perfectly blocked by this system.

Well... it is so well blocked that presently I cannot access Skype ! Because when establishing a connection, Skype tries to connect to a site with an IP address, and there are hundreds of addresses, and I cannot add all of them to a policy. If I allow all destinations (with ANY as destination), then I access Skype, which is normal. But if I use a proxy, it is because I don't want to give full access. When the proxy was set to transparent, I didn't notice the problem because Skype at this point connects in https and for this reason it worked. But now it no longer works. This is a good proof that proxy when set to non transparent can block Skype, Facebook and so on. Once I have found the way to access Skype without giving full access to Internet, I will post it here. But if someone knows the answer, I am happy to hear it.

 

[jeremycald]

Would not transparent proxy also work so you don't have to visit every workstation?

[dysmas]

I am unsure of the meaning of your question so the answer may be inaccurate.

Transparent proxy cannot block https (connections on port 443). To control https connections, non transparent proxy is necessary, with the consequence that you have to visit every workstation. If you are not interested in controlling https connections, then transparent mode is the good solution.

[jeremycald]

I am unsure of the meaning of your question so the answer may be inaccurate.

Transparent proxy cannot block https (connections on port 443). To control https connections, non transparent proxy is necessary, with the consequence that you have to visit every workstation. If you are not interested in controlling https connections, then transparent mode is the good solution.

Learn something new everyday.  Thanks for the non-flaming response.

[sourcebreak]

In Endian Firewall >> Firewall >> Outgoing firewall
create new rule to Deny port 443 for
173.252.0.0/16
69.0.0.0/8
31.13.0.0/16
72.246.0.0/16
124.0.0.0/8

This will block https facebook.

Regards - Suresh

[sree]

Make a outgoing firewall rule giving the below ip and network (Facebook) to the port 443 and block it, your normal 443 works perfectly and https://facebook.com will get block.

173.252.0.0/16
69.0.0.0/8
31.13.0.0/16
72.246.0.0/16
124.0.0.0/8
69.63.184.142
69.63.187.17
69.63.187.19
69.63.181.11
69.63.181.12


Cheers~
Sree.

[nicolethomson]

thats pretty good info dear suresh and sree,

is there any ways to block youtube and gtalk  in similar manner, apart from that  video streaming needs tobe blocked

i tried blocking the ip for youtube.  74.125.236.0/16