EFW Support

I block facebook.com , but it seems there is a workaround where users change to https://facebook.com and then can access. It blocks again on the http://facebook.com/home.php? but then they just change it to https and it works! Is there some way to block the whole range of IPs for facebook? I've tried with the Block List on the Content Filter but doesn't seem to be able to block https traffic.

Any suggestions?

I'm not sure why this isn't working for you to be honest, we have and it works fine.

You could always update your /etc/hosts to the following I guess if that still doesn't work:

I guess I didn't explain myself correctly , facebook.com get's blocked fine , it's the secure https that's posing the problem.

Hi,

after read your post i try... it's true! No block httpS traffic...(all traffic in https bypass the content filter ?!?!?)...

I add facebook.com in blacklist: if in adress browser i write http://facebook.com, or http://www.facebook.com the endian BLOCK that, but if write https://facebook.com ... the browser open the site...

This is a BIG problem!!! The workaround it's ok if nobody must have access on the site, but if someone need the access???

it works fine for myself. What are your Allowed SSL ports? Are the clients in a bypass list?

No clients are not in the bypass list , here are my allowed ports :

443 # https
563 # snews
3001 # ntop

Problem is I do need https access for certain sites. I've also added the whole IP block for facebook yet still https traffic get's passed.

And you are placing just "facebook.com"  into the  Block the following sites on the content filtering page. Each entry on its own line with no comment (#) lines infront of the address?

facebook.com it's in block list (tab proxy - content filer) without # at front...

The SSL port configure are (tab Proxy, Configuration, line "Allowed Ports and SSL Ports") :
443 # https
563 # snews
3001 # ntop

https://facebook.com it's NOT blocked...

What version of endian do you run?
Have you made any manual changes to squid.conf?
Are you blocking port 443 on the firewall? And setting the clients to use proxy port 8080 for its SSL proxy?

I tired this also and the https site let me in.  However, everytime I tried to do something it seemed that the web site kept reverting back to http: 

If I place a S in there and make it https: then the page loads, but I have to do it almost every page change.  It might be enought to be a pain in the arse and defer users from going to that site.

Apparently this does not apply to just facebook but I tried http://www.plentyoffish.com and it was blocked by my blocked sites list in the content filter but again when using HTTPS it allows the site to load.  My guess is that this is becuase port 443 is allowed in PROXY > HTTP > CONFIGURATION > ALLOWED PORTS AND SSL PORTS the web page is bypassing the content filter. 

Question is now, how to block the https sites that are listed in the content filter but allow all others to pass?

Hi,

Can I just say we are suffering from this too, whatever address we block can simply be overcome by typing in https://blockedomain.com instead ... really annoying!

Ok. So,  were are experiencing problems with Endian so I put our old Netgear firewall back in play.  It has site blocking by keyword.  If I block facebook I cannot go to http://www.facebook.com but I can still go to https://www.facebook.com.  &%$*#^&* UGHHHHH.  So...... my deduction is that this is not and Endian specific issue but more of a HTTPS (port 443) issue.

Hmm. I suspect that port 443 is open on your firewalls, thus bypassing your proxies. Endian ships with a rule to allow the green interface out by default. Make sure this is shut off(number 2 on mine). Firewall -> Outgoing traffic. there should not be a check mark in the box on the right. or change the rule to deny.

 mpeterson,  that doesn't make sense.  port 443 is tied to the https protocol just like port 80 is tied to http. Using your methodology then if I wanted to block http://www.facebook.com then I should disable port 80.  Then all web sites would be blocked.  Your suggestion is unacceptable.  http://www.facebook.com is blocked using the content filter with port 80 enabled. There are many legit sites where one would have to use HTTPS (port 443), banking for example.  This question is how to force Endian to filter HTTPS (port 443) traffic content.

Squid is endians proxy agent. It proxy's HTTP (80) and HTTPS(443) traffic. If you leave ports 80 and 443 open on the firewall, you are not going through squid, or through the content filter dansguardian.  You are going strait out to the internet unfiltered. period. Squid and dansgaurdian does the filtering, Not the operating system.

Your clients need to be set to use the proxy port 8080 for all traffic, not just http traffic.

Then can you explain to me why http://www.facebook.com is blocked even though port 80 (FIREWALL>OUT GOING) is enabled and https://www.facebook.com is not? 

I did set the my web browser to the proxy 8080 and it did prevent the web site from displaying, but it didn't display the Endian page saying it was blocked when accessing the https site, just a 403 forbidden error. But it does display the endian message when going to http.  ???????

Any way around having to set the web browsers to use the proxy 8080?  Can I safely set the proxy on Endian to port 80?

Your using transparent proxy. Linux( not the proxy) looks at the packets desination, and see's it port for 80, it then has a rule to redirect that request to the proxy service.


No It doesnt. There may be a way to generate a message, but i havent looked into it.


Yes, its called Web Proxy Autodiscovery protocol (Wpad) http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol (http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol)  Its not hard, and theres 2 methods to setting this up. DNS or DHCP. the good thing is that the script is already made for you, endian does it. the script is hosted on your fw as http://<fw name>/wpad.dat

So all that is left for you to do is create a DNS entry for wpad that points to your firewall or/and create a DHCP Scope option of #252 to http://<fw name>/wpad.dat

Heres some reading from microsoft: http://technet.microsoft.com/en-us/library/cc713344.aspx (http://technet.microsoft.com/en-us/library/cc713344.aspx) Its talking about ISA firewall, but halfwat down the page its starts into how to configure microsoft dns and dhcp options for wpad under Configuring WPAD Entries.

Not to perform some necromancy an this thread but what a solution ever found as to how to display a page when https was blocked rather than it just erroring?

is endian firewall a port based firewall? if yes, then maybe it can't or wont be able to filter those who are using / hiding ssl/443 ports. Now maybe this is what the box/solution lacks of. There are firewalls out there that based their sessions/policy using applications instead of ports, which other apps / sites can tunnel. To name a few , we have palo alto networks, juniper and sonicwall. But hoping that endian can fix this soon.

surely these is a way to proxy https traffic and filter out the sites causing issues like facebook. Im having the same issue and i have also setup site filterng using a netgear router. sure enough it lets https traffic through.

Please see the below topic for a work around and more information.

http://www.efwsupport.com/index.php?topic=2443.0 (http://www.efwsupport.com/index.php?topic=2443.0)

To anyone who comes across this thread:
The problem your experiencing is with your methodology.  someone a few comments back has said:


The problem with this concept is that the two protocols are NOT the same. A cache proxy CAN read the contents of an HTTP GET packet, it can take the "host" header and apply a rule to the session based on the contents.    HTTPS is not the same,  HTTPS packets are encrypted from the endpoint device all the way to the server.   because of this, a proxy has no idea what the packet contains.

Most of the workarounds for this are simply to read what you can from the packet, (the source/destination addresses) and try to reverse DNS lookup the IP.
IF the IP reverses properly your cache device can apply a rule, or can simply apply a rule based on the source/dest IP's,   but this will not prevent someone from sending their encrypted packets to a foreign proxy for further delivery.


If you are SERIOUS about what content your users need to be able to reach, you need to start approaching the situation as a whitelist rather then a blacklist. block everything, and only allow what people should be using.   (IMHO: user training is a MUCH better solution then blocking anything at all.)

So I also had smarter than average employees using httpS://facebook.com and other httpS:// URL's to get around my whitelist.

I am forcing IE to use my firewall's IP and port 8080 for the proxy settings.  This blocks the httpS:// sites that are not on my whitelist for their group of IP addresses.

Kinda lame but it works.

this could be a old thread, but i am having this issue

the transparent proxy stuff blocks only port 80, not the 443 stuff,

where if i do the manual changes in every browser "Use proxy for all protocal's" it does block them clearly.

then the issue comes back, when it comes to bigger network of laptop's "annoying users might say" i can't do this everyday at home and here ....

is there a way to achieve transparent https content filtering too?
nic

It's a recurring question. Unless the very advanced ones, transparent proxies can't filter out HTTPS by default.
HTTPS is a secure channel, anything that intercepts it should be considered an attack.
HTTPS request are very different, they are encrypted packets going out to a numerical IP, there is no way the proxy can intercept the URL request without breaking the whole SSL security.
Having said that, I prefer this issue rather than a crippled HTTPS security that who-knows can sniff it.

Non-transparent proxy solves that problem. About configuring clients on non-transparent, with the proxy.pac they should be automatically configured, only you have to enable the automatic proxy config in IE. I barely need to tweak clients once you set up the system correctly. With Active Directory, users get through non-transparent proxy in a "transparent" way, the proxy don't ask about credentials, domain credentials are automatically used. So if you use Windows+Active Directory, non-transparent works great. There are some issues with pages with non-standard ports, but it's ok.

If you use transparent, your only way is to block/mask either DNS requests or IP's on forbidden webpages. Use Edit Hosts to block DNS and outgoing firewall to block IP's

hey mrkroket help me

my question is here
any help ..

i used 2.5.1

transparent or not transparent proxy enable


i received this error when accesing any website using http

ERROR


The requested URL could not be retrieved
While trying to retrieve the URL:

The following error was encountered:
The request or reply is too large.


If you are making a POST or PUT request, then your request body
(the thing you are trying to upload) is too large. If you are
making a GET request, then the reply body (what you are trying
to download) is too large. These limits have been established
by the Internet Service Provider who operates this cache. Please
contact them directly if you feel this is an error.

Your cache administrator is webmaster.

Endian Firewall - Powered by Squid

mrkroket is right.

This is not an EFW issue, you can not redirect SSL traffic by any means as it is called "Man in the middle". You can only use content filter to restrict traffic or use ssl bump flag in squid which is off course not recommended :-( For smaller organizations lets say 100-200 employees, set the proxy on their browsers by this way you can allow or block HTTP/HTTPS traffic. But larger than the specified numbers, use squidguard/dansguardian with squid (transparently) because setting proxy will be a headache...

I think I understood the important posts by phyrexian and mrkroket.

The full answer to blocking https is non transparent proxy.
Detailed explanation here :

http://www.efwsupport.com/index.php?topic=525.msg9654#msg9654

Use "Non Transparent" proxy. I am using the same & no one can access "facebook" from any angle.

Nishith

When I use "non transparent proxy", I have instantly access to all the web. This means non transparent proxy will work only if a computer is specially configured to use the proxy. And what if a user is competent enough to change this configuration ? He will get access to anything.
Since you have made a configuration which is close to what I want, could you provide some explanations on where I must search to prevent what I just said : with not transparent, at first, any computer has access to Internet.

To use 'non-transparent' proxy, you must also disable (or delete) the outgoing firewall setting for port 80 for the zone that the 'non-transparent' proxy is assigned.  By doing so a computer in the 'non-transparent' zone cannotaccess web pages without using the proxy.

Hi, sorry to reactivate this thread again. I understand fully the nature of the problem with HTTPS and transparent proxies, my question is about endian:


Despite the remaining issues, this is actually what I am after (it is the right solution for the environment I want to deploy it into).

Could anyone tell me how easy it is to implement this with endian? (I.e. just do reverse DNS on the destination address, if it resolves to facebook (etc) domain on a given list - block it.)


Other than by reverse IP, what other methods are transparent proxies doing?

The paid version of untangle webfilter seems to block HTTPS, but I think it is just doing reverse IP on the packets. Does anyone know for sure?

And again, my main question is how easy is it to setup a reverse DNS block on HTTPS traffic using endian?

Thanks to @nishith and @speccompsol : using Non transparent proxy is really the good solution to filter https. Just in case it can help others, here is what you have to do :

1) in Firewall/Outgoing traffic, remove the lines which allow traffic on ports 80 and 443.
2) Set proxy to Non transparent
3) in proxy/authentication click "Manage users" and add some users
4) If you want, click "Manage groups" and create some groups
5) In proxy/Access Policy, modify your policies :
      Set Authentication to user based or group based, and select one (or several) user(s) or group(s)

Update.
At this point, no one has access to Internet.

To give access to Internet to a user, you must go to his computer and in Internet Properties / connections / Network settings [in Windows XP, or find equivalent in your OS], you MUST set a proxy, indicating the IP address of your EFW and the port 8080 (if you have kept this value which is the default in EFW).

Now this user, when he want to connect to Internet will receive a small window asking for authentication. He has just to enter it, and he has access to the corresponding policies. https is perfectly blocked by this system.

Well... it is so well blocked that presently I cannot access Skype ! Because when establishing a connection, Skype tries to connect to a site with an IP address, and there are hundreds of addresses, and I cannot add all of them to a policy. If I allow all destinations (with ANY as destination), then I access Skype, which is normal. But if I use a proxy, it is because I don't want to give full access. When the proxy was set to transparent, I didn't notice the problem because Skype at this point connects in https and for this reason it worked. But now it no longer works. This is a good proof that proxy when set to non transparent can block Skype, Facebook and so on. Once I have found the way to access Skype without giving full access to Internet, I will post it here. But if someone knows the answer, I am happy to hear it.

 

Would not transparent proxy also work so you don't have to visit every workstation?

I am unsure of the meaning of your question so the answer may be inaccurate.

Transparent proxy cannot block https (connections on port 443). To control https connections, non transparent proxy is necessary, with the consequence that you have to visit every workstation. If you are not interested in controlling https connections, then transparent mode is the good solution.

Learn something new everyday.  Thanks for the non-flaming response.

In Endian Firewall >> Firewall >> Outgoing firewall
create new rule to Deny port 443 for
173.252.0.0/16
69.0.0.0/8
31.13.0.0/16
72.246.0.0/16
124.0.0.0/8

This will block https facebook.

Regards - Suresh

Make a outgoing firewall rule giving the below ip and network (Facebook) to the port 443 and block it, your normal 443 works perfectly and https://facebook.com will get block.

173.252.0.0/16
69.0.0.0/8
31.13.0.0/16
72.246.0.0/16
124.0.0.0/8
69.63.184.142
69.63.187.17
69.63.187.19
69.63.181.11
69.63.181.12


Cheers~
Sree.

thats pretty good info dear suresh and sree,

is there any ways to block youtube and gtalk  in similar manner, apart from that  video streaming needs tobe blocked

i tried blocking the ip for youtube.  74.125.236.0/16