Re: [pfSense Support] blocking https:facebook.com via squidguard pfsense gui
I can't block tcp 443 on a wholesale basis; we need it for lots of stuff. If I can do it for a single domain, I'm there. Luke Jaeger | Technology Coordinator Pioneer Valley Performing Arts Charter Public School www.pvpa.org On Jul 1, 2010, at 5:50 PM, Jim Pingle wrote: On 6/30/2010 4:29 PM, Luke Jaeger wrote: thanks Jim - I got the impression from reading the pfsense forum that there is a way to block https for specific domains by denying the connect method - am I understanding this wrong? That would still require they be routed through squid. Denying a connect method is a function of squid, not of the firewall. (Though by blocking port tcp/443 you can effectively deny that, unless it's running on an alternate port...) Otherwise I might give WPAD a try. There's a doc in the wiki which goes over how to configure it on pfSense. It's not too hard, assuming the browsers are set for auto-configure. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] blocking https:facebook.com via squidguard pfsense gui
On Fri, Jul 2, 2010 at 8:03 AM, Luke Jaeger ad...@pvpa.org wrote: I can't block tcp 443 on a wholesale basis; we need it for lots of stuff. If I can do it for a single domain, I'm there. The idea is to set up a non-transparent proxy for all traffic and block any traffic not using the proxy. The whole purpose of https is to prevent a third party (in this case your firewall) from seeing anything above the minimum routing information (source and destination IP address). I think WPAD is the way to go for this one. (Where I went to high school, they somehow blocked certain https sites, but I think it was by IP and the subscription service they used for the block list actually listed all the IPs for facebook and other blocked sites.)
Re: [pfSense Support] blocking https:facebook.com via squidguard pfsense gui
On 30/06/10 21:29, Luke Jaeger wrote: thanks Jim - I got the impression from reading the pfsense forum that there is a way to block https for specific domains by denying the connect method - am I understanding this wrong? you should definitely be able to create an ACL for access to facebook, something like this: |acl facebook_domains dstdomain .facebook.com |always_direct deny facebook_hosts as someone else said, you'll need to block tcp:443 outbound and tell people to use the proxy, and then probably add this - NOT TESTED, this is cut/paste/hack stuff (adapted from my config to allow MSN to work using squid connect) |acl facebook_methods method CONNECT |http_access deny facebook_methods facebook_domains |always_direct deny facebook_methods - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] blocking https:facebook.com via squidguard pfsense gui
On 6/30/2010 4:29 PM, Luke Jaeger wrote: thanks Jim - I got the impression from reading the pfsense forum that there is a way to block https for specific domains by denying the connect method - am I understanding this wrong? That would still require they be routed through squid. Denying a connect method is a function of squid, not of the firewall. (Though by blocking port tcp/443 you can effectively deny that, unless it's running on an alternate port...) Otherwise I might give WPAD a try. There's a doc in the wiki which goes over how to configure it on pfSense. It's not too hard, assuming the browsers are set for auto-configure. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] blocking https:facebook.com via squidguard pfsense gui
I decided to enable transparent proxy on my school firewall because I was getting a million requests a day to configure proxy settings on student laptops. But now that I turned on transparent proxy, students have discovered that they can get to banned sites (like facebook) via https. http://www.facebook.com is blocked but https://www.facebook.com still works. Can someone let me know how to block these? I understand I have to deny the 'connect method' but don't see where to do this. Can this only be done in command line? Luke Jaeger | Technology Coordinator Pioneer Valley Performing Arts Charter Public School www.pvpa.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] blocking https:facebook.com via squidguard pfsense gui
On 6/30/2010 4:00 PM, Luke Jaeger wrote: I decided to enable transparent proxy on my school firewall because I was getting a million requests a day to configure proxy settings on student laptops. But now that I turned on transparent proxy, students have discovered that they can get to banned sites (like facebook) via https. http://www.facebook.com is blocked but https://www.facebook.com still works. Can someone let me know how to block these? I understand I have to deny the 'connect method' but don't see where to do this. Can this only be done in command line? You cannot transparently proxy SSL connections. You would have to deny outbound access to port 443 and if they want SSL, they must configure the proxy settings into their browser(s) either by hand or automatically with something like WPAD. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] blocking https:facebook.com via squidguard pfsense gui
thanks Jim - I got the impression from reading the pfsense forum that there is a way to block https for specific domains by denying the connect method - am I understanding this wrong? Otherwise I might give WPAD a try. Luke Jaeger | Technology Coordinator Pioneer Valley Performing Arts Charter Public School www.pvpa.org On Jun 30, 2010, at 4:06 PM, Jim Pingle wrote: On 6/30/2010 4:00 PM, Luke Jaeger wrote: I decided to enable transparent proxy on my school firewall because I was getting a million requests a day to configure proxy settings on student laptops. But now that I turned on transparent proxy, students have discovered that they can get to banned sites (like facebook) via https. http://www.facebook.com is blocked but https://www.facebook.com still works. Can someone let me know how to block these? I understand I have to deny the 'connect method' but don't see where to do this. Can this only be done in command line? You cannot transparently proxy SSL connections. You would have to deny outbound access to port 443 and if they want SSL, they must configure the proxy settings into their browser(s) either by hand or automatically with something like WPAD. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] blocking https:facebook.com via squidguard pfsense gui
If you don´t want any www.facebook.com connections at all you can use the DNS Forwarder to change its IP to something else... On 30 June 2010 17:29, Luke Jaeger ad...@pvpa.org wrote: thanks Jim - I got the impression from reading the pfsense forum that there is a way to block https for specific domains by denying the connect method - am I understanding this wrong? Otherwise I might give WPAD a try. Luke Jaeger | Technology Coordinator Pioneer Valley Performing Arts Charter Public School www.pvpa.org On Jun 30, 2010, at 4:06 PM, Jim Pingle wrote: On 6/30/2010 4:00 PM, Luke Jaeger wrote: I decided to enable transparent proxy on my school firewall because I was getting a million requests a day to configure proxy settings on student laptops. But now that I turned on transparent proxy, students have discovered that they can get to banned sites (like facebook) via https. http://www.facebook.com is blocked but https://www.facebook.com still works. Can someone let me know how to block these? I understand I have to deny the 'connect method' but don't see where to do this. Can this only be done in command line? You cannot transparently proxy SSL connections. You would have to deny outbound access to port 443 and if they want SSL, they must configure the proxy settings into their browser(s) either by hand or automatically with something like WPAD. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- Those of you who think you know it all upset us who do!
Re: [pfSense Support] blocking https:facebook.com via squidguard pfsense gui
2010/6/30 Luke Jaeger ad...@pvpa.org I decided to enable transparent proxy on my school firewall because I was getting a million requests a day to configure proxy settings on student laptops. But now that I turned on transparent proxy, students have discovered that they can get to banned sites (like facebook) via https. http://www.facebook.com is blocked but https://www.facebook.com still works. Can someone let me know how to block these? I understand I have to deny the 'connect method' but don't see where to do this. Can this only be done in command line? Luke Jaeger | Technology Coordinator Pioneer Valley Performing Arts Charter Public School www.pvpa.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Try this: To block this you have to add rule like: Destination: Type: Network Address: 66.220.144.0/20 See: - http://wiki.developers.facebook.com/index.php/Facebook_IP_Addresses - whois 69.63.189.16 -- Luis G. Coralle Departamento de Informática Facultad de Ciencias Médicas Universidad Nacional del Comahue Av. Luis Toschi y Los Arrayanes Cipolletti - Río Negro Tel. 0299 - 4782603 INT. 24 / Fax 0299 - 4776140 http://medicina.uncoma.edu.ar/