On 9/3/2012 1:09 PM, Emiliano Vazquez wrote: > Hi to every one. > > I´m trying to block Ultrasurf program [1]. At this moment this is not > working at all.I read a lot of docs over internet and try diferent > ways to do this. > > In this time i try to block ultrasurf through Shorewall using > /etc/shorewall/params > > I will explain everything i do, please feel free to ask. > > ########################################## > /etc/shorewall/rules > > DROP loc net:$IPPROXY TCP - > ########################################## > /etc/shorewall/params > IPPROXY= > in this i put IP separated by comma > ########################################## > > I create and script [2] to search for Ultrasurf running on a specific > machine with no users and scheduled task running the program every 180 > seconds. > I do this because this program use TCP port number 443 and it´s not > possible to make any diference between Ultrasurf and Skype or https > > The question is i found a lot of IPs [3] and blocked this but i found > every time new IPs and have two doubts: > > 1. Shorewall will support so many IPs? about 5000 diferent IPs. > 2. Some day i will found every IP of this Program. This is a know > response: never . I know. > > I hope some people see this post and don´t try the same. > thi > There is another way to block but i don´t know how to do! When the > programs runs in tcpdump i see this line > > 162.128.69.91.53 > 192.168.122.178.1398: [udp sum ok] 2 q: A? > qmaigzn.info <http://qmaigzn.info>. 4/0/0 qmaigzn.info > <http://qmaigzn.info>. [3m] CNAME 35admq.3wllj9822.qmaigzn.info > <http://35admq.3wllj9822.qmaigzn.info>., 35admq.3wllj9822.qmaigzn.info > <http://35admq.3wllj9822.qmaigzn.info>. [3m] CNAME > 35adm.q2pys11up2.qmaigzn.info <http://35adm.q2pys11up2.qmaigzn.info>., > 35adm.q2pys11up2.qmaigzn.info <http://35adm.q2pys11up2.qmaigzn.info>. > [3m] CNAME 35admq.z979oefjm.qmaigzn.info > <http://35admq.z979oefjm.qmaigzn.info>., 35admq.z979oefjm.qmaigzn.info > <http://35admq.z979oefjm.qmaigzn.info>. [3m] A 206.223.154.230 (139) > > wich seems to be the way ultrasurft get information to get conected > again and again and again :P > > Any help will be appreciatted. > > Best regards. > > > [1] http://ultrasurf.us/ > > [2] http://pastebin.com/1jhRCJc7 > > [3] http://pastebin.com/0GXCEGak > > > > > -- > Emiliano Vazquez | PcCentro S.R.L. > White 1611 | C.P. C1407IJG| C.A.B.A. > Office: +54 (11) 4635-7764 > Celular: 15.6253.7165 > Mail: [email protected] <mailto:[email protected]> > Web: http://www.pccentro.com.ar > > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users
That tcpdump packet is a domain lookup for qmaigzn.info <http://qmaigzn.info>. Looks like the best way to block this is to have the DNS return 127.0.0.1 for anything in that domain. From the website, Ultrasurf even has a Firefox plugin. Bill ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
