Welcome, Guest. Please login or register.
Did you miss your activation email?
Monday 25 November 2024, 07:25:04 pm

Login with username, password and session length

Download the latest community FREE version  HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  EFW SMTP, HTTP, SIP, FTP Proxy Support
| | |-+  https://facebook.com not blocked by proxy
0 Members and 2 Guests are viewing this topic. « previous next »
Pages: 1 2 [3] Go Down Print
Author Topic: https://facebook.com not blocked by proxy  (Read 337977 times)
dysmas
Full Member
***
Offline Offline

Posts: 28


« Reply #30 on: Saturday 08 September 2012, 07:24:54 pm »

When I use "non transparent proxy", I have instantly access to all the web. This means non transparent proxy will work only if a computer is specially configured to use the proxy. And what if a user is competent enough to change this configuration ? He will get access to anything.
Since you have made a configuration which is close to what I want, could you provide some explanations on where I must search to prevent what I just said : with not transparent, at first, any computer has access to Internet.
Logged
speccompsol
Full Member
***
Offline Offline

Posts: 44


« Reply #31 on: Sunday 09 September 2012, 03:07:29 am »

To use 'non-transparent' proxy, you must also disable (or delete) the outgoing firewall setting for port 80 for the zone that the 'non-transparent' proxy is assigned.  By doing so a computer in the 'non-transparent' zone cannotaccess web pages without using the proxy.
Logged
Monty
Jr. Member
*
Offline Offline

Posts: 1


« Reply #32 on: Saturday 03 November 2012, 07:37:07 am »

Hi, sorry to reactivate this thread again. I understand fully the nature of the problem with HTTPS and transparent proxies, my question is about endian:

Most of the workarounds for this are simply to read what you can from the packet, (the source/destination addresses) and try to reverse DNS lookup the IP.
IF the IP reverses properly your cache device can apply a rule, or can simply apply a rule based on the source/dest IP's,   but this will not prevent someone from sending their encrypted packets to a foreign proxy for further delivery.

Despite the remaining issues, this is actually what I am after (it is the right solution for the environment I want to deploy it into).

Could anyone tell me how easy it is to implement this with endian? (I.e. just do reverse DNS on the destination address, if it resolves to facebook (etc) domain on a given list - block it.)

Unless the very advanced ones, transparent proxies can't filter out HTTPS by default.

Other than by reverse IP, what other methods are transparent proxies doing?

The paid version of untangle webfilter seems to block HTTPS, but I think it is just doing reverse IP on the packets. Does anyone know for sure?

And again, my main question is how easy is it to setup a reverse DNS block on HTTPS traffic using endian?
Logged
dysmas
Full Member
***
Offline Offline

Posts: 28


« Reply #33 on: Thursday 14 February 2013, 04:52:25 am »

Thanks to @nishith and @speccompsol : using Non transparent proxy is really the good solution to filter https. Just in case it can help others, here is what you have to do :

1) in Firewall/Outgoing traffic, remove the lines which allow traffic on ports 80 and 443.
2) Set proxy to Non transparent
3) in proxy/authentication click "Manage users" and add some users
4) If you want, click "Manage groups" and create some groups
5) In proxy/Access Policy, modify your policies :
      Set Authentication to user based or group based, and select one (or several) user(s) or group(s)

Update.
At this point, no one has access to Internet.

To give access to Internet to a user, you must go to his computer and in Internet Properties / connections / Network settings [in Windows XP, or find equivalent in your OS], you MUST set a proxy, indicating the IP address of your EFW and the port 8080 (if you have kept this value which is the default in EFW).

Now this user, when he want to connect to Internet will receive a small window asking for authentication. He has just to enter it, and he has access to the corresponding policies. https is perfectly blocked by this system.

Well... it is so well blocked that presently I cannot access Skype ! Because when establishing a connection, Skype tries to connect to a site with an IP address, and there are hundreds of addresses, and I cannot add all of them to a policy. If I allow all destinations (with ANY as destination), then I access Skype, which is normal. But if I use a proxy, it is because I don't want to give full access. When the proxy was set to transparent, I didn't notice the problem because Skype at this point connects in https and for this reason it worked. But now it no longer works. This is a good proof that proxy when set to non transparent can block Skype, Facebook and so on. Once I have found the way to access Skype without giving full access to Internet, I will post it here. But if someone knows the answer, I am happy to hear it.

 
Logged
jeremycald
Full Member
***
Offline Offline

Posts: 41


« Reply #34 on: Saturday 16 February 2013, 01:50:27 am »

Would not transparent proxy also work so you don't have to visit every workstation?
Logged
dysmas
Full Member
***
Offline Offline

Posts: 28


« Reply #35 on: Saturday 16 February 2013, 02:49:46 am »

I am unsure of the meaning of your question so the answer may be inaccurate.

Transparent proxy cannot block https (connections on port 443). To control https connections, non transparent proxy is necessary, with the consequence that you have to visit every workstation. If you are not interested in controlling https connections, then transparent mode is the good solution.
Logged
jeremycald
Full Member
***
Offline Offline

Posts: 41


« Reply #36 on: Tuesday 19 February 2013, 06:41:29 am »

I am unsure of the meaning of your question so the answer may be inaccurate.

Transparent proxy cannot block https (connections on port 443). To control https connections, non transparent proxy is necessary, with the consequence that you have to visit every workstation. If you are not interested in controlling https connections, then transparent mode is the good solution.

Learn something new everyday.  Thanks for the non-flaming response.
Logged
sourcebreak
Full Member
***
Offline Offline

Posts: 15


« Reply #37 on: Saturday 02 March 2013, 07:40:56 pm »

In Endian Firewall >> Firewall >> Outgoing firewall
create new rule to Deny port 443 for
173.252.0.0/16
69.0.0.0/8
31.13.0.0/16
72.246.0.0/16
124.0.0.0/8

This will block https facebook.

Regards - Suresh
Logged
sree
Full Member
***
Offline Offline

Posts: 64



WWW
« Reply #38 on: Friday 10 May 2013, 11:19:06 pm »

Make a outgoing firewall rule giving the below ip and network (Facebook) to the port 443 and block it, your normal 443 works perfectly and https://facebook.com will get block.

173.252.0.0/16
69.0.0.0/8
31.13.0.0/16
72.246.0.0/16
124.0.0.0/8
69.63.184.142
69.63.187.17
69.63.187.19
69.63.181.11
69.63.181.12


Cheers~
Sree.
Logged
nicolethomson
Full Member
***
Offline Offline

Posts: 27


« Reply #39 on: Wednesday 23 October 2013, 11:06:44 pm »

thats pretty good info dear suresh and sree,

is there any ways to block youtube and gtalk  in similar manner, apart from that  video streaming needs tobe blocked

i tried blocking the ip for youtube.  74.125.236.0/16
Logged
Pages: 1 2 [3] Go Up Print 
« previous next »
Jump to:  

Page created in 0.141 seconds with 17 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com