Blocking Ultrasurf with pfSense 2.0

codemarauder

I prefer to use Snort for this.

Create a separate rule file that includes the ultrasurf rule copied from "policy.rules" of Emerging Threats. Now, add a new Snort sensor on LAN interface that has just this rule enabled. Check the box to "block" the offenders on the source side for 1 hour, 3 hours, 1 day or 1 week as you find suitable.

Since Ultrasurf is a policy violation and offenders ideally should be dealt with at Layer 8 (corporate / HR policy), this will discourage people from using Ultrasurf altogether and administration will always remain in the know of them.

mcchin

I have develop a service run in Window XP and win7 to kill the ultrasurf once found it was running. If you interest this software, I can send to you and help me to test.

jamffers

sir mcchin what Action and what Inteface on this steps

7. After the pfBlockerpfUltrasurf rule, add new rule
a) Proto: TCP/UDP
b) Source: LAN address
c) Port: *
d) Destination: LAN address
e) Port: 53 (DNS)
f) Gateway: *

8. Add another new rule after the rule on step 7.
a) Proto: TCP/UDP
b) Source: *
c) Port: *
d) Destination: !LAN address
e) Port: 53 (DNS)
f) Gateway: *

9. Apply this new settings.

firatnemis

@jamffers:

sir mcchin what Action and what Inteface on this steps

7. After the pfBlockerpfUltrasurf rule, add new rule
a) Proto: TCP/UDP
b) Source: LAN address
c) Port: *
d) Destination: LAN address
e) Port: 53 (DNS)
f) Gateway: *

8. Add another new rule after the rule on step 7.
a) Proto: TCP/UDP
b) Source: *
c) Port: *
d) Destination: !LAN address
e) Port: 53 (DNS)
f) Gateway: *

9. Apply this new settings.

is it working ? Just when we block 53 is it okey ?

m4st3rc1p0

@mcchin can you send me the apps you are talking.

georgio777

@codemarauder:

I prefer to use Snort for this.

Create a separate rule file that includes the ultrasurf rule copied from "policy.rules" of Emerging Threats. Now, add a new Snort sensor on LAN interface that has just this rule enabled. Check the box to "block" the offenders on the source side for 1 hour, 3 hours, 1 day or 1 week as you find suitable.

Since Ultrasurf is a policy violation and offenders ideally should be dealt with at Layer 8 (corporate / HR policy), this will discourage people from using Ultrasurf altogether and administration will always remain in the know of them.

I agree with codemarauder on this one, I created a Snort rule and I have been able to block those users that use UltraSurf, it works pretty great.

Here is the rule:

# Rules by Jorge Talamas
alert udp $HOME_NET any -> any 53 (msg:"DNS Request for www.hfdxjshm.info"; content:"|03|www|08|hfdxjshm|04|info"; metadata:service dns; nocase; classtype:policy-violation; sid:1232313; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"DNS Request for www.rvzjon.info"; content:"|03|www|06|rvzjon|04|info"; metadata:service dns; nocase; classtype:policy-violation; sid:1232314; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"DNS Request for www.ukwprf.info"; content:"|03|www|06|ukwprf|04|info"; metadata:service dns; nocase; classtype:policy-violation; sid:1232315; rev:1;)

# Rule by SERPRO-Recife Security Team
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"Possible External Ultrasurf DNS Query"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:policy-violation; detection_filter:track by_src, count 1, seconds 5; sid:1000059; rev:2;)

# IP POOL by Jorge Talamas
var ULTRASURF_POOL [1.160.0.0/16,1.161.122.228/32,1.162.0.0/16,1.163.233.171/32,1.168.0.0/13,12.48.83.220/32,24.11.192.218/31,36.227.0.15/32,36.227.75.242/32,36.229.197.181/32,36.232.154.1/32,46.22.213.8/32,46.22.214.10/32,46.37.175.62/32,46.37.180.174/32,46.105.135.99/32,46.105.135.123/32,46.105.151.18/32,46.105.224.154/32,58.138.34.200/32,59.104.160.0/19,59.112.0.0/15,59.115.0.0/16,59.121.0.0/16,61.31.128.0/19,61.62.0.0/17,61.62.192.0/18,61.216.0.0/17,61.216.128.0/18,61.223.0.0/16,61.224.0.0/16,61.227.0.0/16,61.228.0.0/16,61.230.0.0/15,63.215.202.0/24,63.223.86.79/32,63.223.100.58/32,63.223.101.44/32,63.223.102.73/32,63.223.103.77/32,63.223.124.119/32,63.226.208.180/31,63.245.209.30/31,64.4.44.80/31,64.25.35.100/31,64.25.35.200/31,64.37.73.8/32,64.120.138.55/32,64.120.206.154/32,64.191.20.238/32,64.191.124.239/32,65.49.2.12/31,65.49.14.0/24,65.175.93.68/32,65.175.93.72/32,65.175.93.76/32,66.201.71.143/32,66.201.71.145/32,66.245.218.2/31,67.19.60.8/31,68.65.210.20/32,68.65.238.190/32,69.61.28.24/32,69.61.28.51/32,69.162.176.238/32,69.162.177.246/32,69.162.177.250/32,69.162.179.250/32,69.162.180.238/32,69.162.180.244/32,69.162.180.250/32,69.162.181.241/32,69.162.181.248/32,69.162.182.250/32,69.162.183.246/32,69.162.185.239/32,69.162.185.247/32,69.162.186.245/32,69.162.187.239/32,69.162.189.240/32,69.162.189.246/32,69.162.190.247/32,69.162.191.248/32,70.32.68.126/31,72.21.194.0/24,72.21.203.148/31,72.21.211.170/31,72.21.214.0/24,72.69.176.100/31,74.80.131.100/32,74.80.152.203/32,74.80.167.179/32,74.80.181.109/32,74.127.24.68/32,74.127.52.39/32,74.127.52.42/32,76.191.99.99/32,76.191.102.131/32,76.191.103.56/32,76.191.105.5/32,76.191.105.20/32,76.191.114.32/32,80.79.125.53/32,91.121.253.92/32,95.143.33.144/32,95.143.33.179/32,96.9.133.170/32,96.9.174.174/32,101.128.162.236/31,111.240.0.0/14,111.248.0.0/13,112.104.0.0/17,112.104.128.0/18,112.104.192.0/19,112.105.64.0/18,112.105.128.0/19,112.105.192.0/18,113.197.194.198/31,114.24.0.0/14,114.36.0.0/14,114.40.0.0/13,118.160.0.0/15,118.165.0.0/16,118.166.0.0/15,118.168.0.0/14,122.118.0.0/16,122.120.0.0/14,122.124.162.0/24,122.125.0.0/16,122.126.0.0/15,123.204.74.103/32,123.204.96.0/19,123.205.224.0/19,124.8.72.25/32,124.9.128.0/17,124.11.53.0/24,124.11.128.0/17,124.12.0.0/17,125.224.0.0/15,125.227.0.0/16,125.229.0.0/16,125.230.0.0/16,125.231.91.188/31,125.232.0.0/15,126.126.189.185/32,128.120.32.96/31,129.59.210.100/31,149.5.113.168/32,173.208.227.209/32,173.212.193.131/32,173.212.193.142/32,173.212.193.156/32,174.24.248.14/31,175.180.64.0/18,175.180.128.0/17,175.181.64.0/18,175.181.128.0/17,175.182.0.0/17,184.26.194.70/31,184.82.51.116/32,184.82.113.169/32,184.82.137.235/32,184.82.145.69/32,184.82.205.136/32,195.43.51.21/32,199.114.216.57/32,199.114.217.39/32,199.114.219.83/32,199.114.219.93/32,199.217.100.54/32,199.217.101.32/32,199.217.101.61/32,199.217.102.49/32,203.67.0.0/19,203.67.116.201/32,203.73.50.4/31,203.73.55.210/31,203.73.192.0/18,205.251.242.164/31,207.195.235.35/32,207.195.235.195/32,208.117.17.239/32,208.117.18.242/32,208.117.19.250/32,208.117.22.249/32,208.117.23.246/32,208.117.26.239/32,208.117.27.241/32,208.117.29.246/32,208.117.29.250/32,208.117.31.240/32,210.64.96.0/19,211.74.96.0/19,211.74.191.68/31,212.69.166.19/32,212.69.169.54/32,212.69.191.38/32,212.69.191.237/32,216.13.11.50/31,216.13.113.50/31,216.15.183.18/32,216.15.183.27/32,216.198.215.3/32,216.198.220.120/32,216.198.220.126/32,218.160.0.0/14,218.165.0.0/16,218.166.0.0/15,218.168.0.0/14,218.173.0.0/16,218.174.0.0/15,219.80.130.234/31,219.84.192.0/18,219.85.128.0/17,220.100.55.208/32,220.129.0.0/16,220.131.0.0/16,220.136.0.0/16,220.138.0.0/16,220.141.0.0/16,220.142.0.0/15]

alert tcp $HOME_NET any -> $ULTRASURF_POOL 443 (msg:"Ultrasurf Connection Detected"; flow:established; classtype:policy-violation; sid:5000000; rev:3;)
alert tcp $HOME_NET any -> $ULTRASURF_POOL 10000 (msg:"Ultrasurf Connection Detected"; flow:established; classtype:policy-violation; sid:5000001; rev:3;)

Have fun!

technical

Super it is working thank you sou much.

@georgio777:

@codemarauder:

I prefer to use Snort for this.

Create a separate rule file that includes the ultrasurf rule copied from "policy.rules" of Emerging Threats. Now, add a new Snort sensor on LAN interface that has just this rule enabled. Check the box to "block" the offenders on the source side for 1 hour, 3 hours, 1 day or 1 week as you find suitable.

Since Ultrasurf is a policy violation and offenders ideally should be dealt with at Layer 8 (corporate / HR policy), this will discourage people from using Ultrasurf altogether and administration will always remain in the know of them.

I agree with codemarauder on this one, I created a Snort rule and I have been able to block those users that use UltraSurf, it works pretty great.

Here is the rule:

# Rules by Jorge Talamas
alert udp $HOME_NET any -> any 53 (msg:"DNS Request for www.hfdxjshm.info"; content:"|03|www|08|hfdxjshm|04|info"; metadata:service dns; nocase; classtype:policy-violation; sid:1232313; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"DNS Request for www.rvzjon.info"; content:"|03|www|06|rvzjon|04|info"; metadata:service dns; nocase; classtype:policy-violation; sid:1232314; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"DNS Request for www.ukwprf.info"; content:"|03|www|06|ukwprf|04|info"; metadata:service dns; nocase; classtype:policy-violation; sid:1232315; rev:1;)

# Rule by SERPRO-Recife Security Team
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"Possible External Ultrasurf DNS Query"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:policy-violation; detection_filter:track by_src, count 1, seconds 5; sid:1000059; rev:2;)

# IP POOL by Jorge Talamas
var ULTRASURF_POOL [1.160.0.0/16,1.161.122.228/32,1.162.0.0/16,1.163.233.171/32,1.168.0.0/13,12.48.83.220/32,24.11.192.218/31,36.227.0.15/32,36.227.75.242/32,36.229.197.181/32,36.232.154.1/32,46.22.213.8/32,46.22.214.10/32,46.37.175.62/32,46.37.180.174/32,46.105.135.99/32,46.105.135.123/32,46.105.151.18/32,46.105.224.154/32,58.138.34.200/32,59.104.160.0/19,59.112.0.0/15,59.115.0.0/16,59.121.0.0/16,61.31.128.0/19,61.62.0.0/17,61.62.192.0/18,61.216.0.0/17,61.216.128.0/18,61.223.0.0/16,61.224.0.0/16,61.227.0.0/16,61.228.0.0/16,61.230.0.0/15,63.215.202.0/24,63.223.86.79/32,63.223.100.58/32,63.223.101.44/32,63.223.102.73/32,63.223.103.77/32,63.223.124.119/32,63.226.208.180/31,63.245.209.30/31,64.4.44.80/31,64.25.35.100/31,64.25.35.200/31,64.37.73.8/32,64.120.138.55/32,64.120.206.154/32,64.191.20.238/32,64.191.124.239/32,65.49.2.12/31,65.49.14.0/24,65.175.93.68/32,65.175.93.72/32,65.175.93.76/32,66.201.71.143/32,66.201.71.145/32,66.245.218.2/31,67.19.60.8/31,68.65.210.20/32,68.65.238.190/32,69.61.28.24/32,69.61.28.51/32,69.162.176.238/32,69.162.177.246/32,69.162.177.250/32,69.162.179.250/32,69.162.180.238/32,69.162.180.244/32,69.162.180.250/32,69.162.181.241/32,69.162.181.248/32,69.162.182.250/32,69.162.183.246/32,69.162.185.239/32,69.162.185.247/32,69.162.186.245/32,69.162.187.239/32,69.162.189.240/32,69.162.189.246/32,69.162.190.247/32,69.162.191.248/32,70.32.68.126/31,72.21.194.0/24,72.21.203.148/31,72.21.211.170/31,72.21.214.0/24,72.69.176.100/31,74.80.131.100/32,74.80.152.203/32,74.80.167.179/32,74.80.181.109/32,74.127.24.68/32,74.127.52.39/32,74.127.52.42/32,76.191.99.99/32,76.191.102.131/32,76.191.103.56/32,76.191.105.5/32,76.191.105.20/32,76.191.114.32/32,80.79.125.53/32,91.121.253.92/32,95.143.33.144/32,95.143.33.179/32,96.9.133.170/32,96.9.174.174/32,101.128.162.236/31,111.240.0.0/14,111.248.0.0/13,112.104.0.0/17,112.104.128.0/18,112.104.192.0/19,112.105.64.0/18,112.105.128.0/19,112.105.192.0/18,113.197.194.198/31,114.24.0.0/14,114.36.0.0/14,114.40.0.0/13,118.160.0.0/15,118.165.0.0/16,118.166.0.0/15,118.168.0.0/14,122.118.0.0/16,122.120.0.0/14,122.124.162.0/24,122.125.0.0/16,122.126.0.0/15,123.204.74.103/32,123.204.96.0/19,123.205.224.0/19,124.8.72.25/32,124.9.128.0/17,124.11.53.0/24,124.11.128.0/17,124.12.0.0/17,125.224.0.0/15,125.227.0.0/16,125.229.0.0/16,125.230.0.0/16,125.231.91.188/31,125.232.0.0/15,126.126.189.185/32,128.120.32.96/31,129.59.210.100/31,149.5.113.168/32,173.208.227.209/32,173.212.193.131/32,173.212.193.142/32,173.212.193.156/32,174.24.248.14/31,175.180.64.0/18,175.180.128.0/17,175.181.64.0/18,175.181.128.0/17,175.182.0.0/17,184.26.194.70/31,184.82.51.116/32,184.82.113.169/32,184.82.137.235/32,184.82.145.69/32,184.82.205.136/32,195.43.51.21/32,199.114.216.57/32,199.114.217.39/32,199.114.219.83/32,199.114.219.93/32,199.217.100.54/32,199.217.101.32/32,199.217.101.61/32,199.217.102.49/32,203.67.0.0/19,203.67.116.201/32,203.73.50.4/31,203.73.55.210/31,203.73.192.0/18,205.251.242.164/31,207.195.235.35/32,207.195.235.195/32,208.117.17.239/32,208.117.18.242/32,208.117.19.250/32,208.117.22.249/32,208.117.23.246/32,208.117.26.239/32,208.117.27.241/32,208.117.29.246/32,208.117.29.250/32,208.117.31.240/32,210.64.96.0/19,211.74.96.0/19,211.74.191.68/31,212.69.166.19/32,212.69.169.54/32,212.69.191.38/32,212.69.191.237/32,216.13.11.50/31,216.13.113.50/31,216.15.183.18/32,216.15.183.27/32,216.198.215.3/32,216.198.220.120/32,216.198.220.126/32,218.160.0.0/14,218.165.0.0/16,218.166.0.0/15,218.168.0.0/14,218.173.0.0/16,218.174.0.0/15,219.80.130.234/31,219.84.192.0/18,219.85.128.0/17,220.100.55.208/32,220.129.0.0/16,220.131.0.0/16,220.136.0.0/16,220.138.0.0/16,220.141.0.0/16,220.142.0.0/15]

alert tcp $HOME_NET any -> $ULTRASURF_POOL 443 (msg:"Ultrasurf Connection Detected"; flow:established; classtype:policy-violation; sid:5000000; rev:3;)
alert tcp $HOME_NET any -> $ULTRASURF_POOL 10000 (msg:"Ultrasurf Connection Detected"; flow:established; classtype:policy-violation; sid:5000001; rev:3;)

Have fun!

CrackBlue

Try this.

I have created an alias of LEGALPORTS (80, 443, 53, 3128 and some ports you consider necessary) to be allowed, then from the Firewall Rule, i added outbound connections for LAN specifying LEGALPORTS as their destination ports. I have not tested this one out for ultrasurf but works for blocking torrents. But will try anyway on my side.

Thanks.

Nonsense

Steve:

Well, the plot thickens, unfortunately, my situation has gone from bad to worse. In the midst of experimenting with alternate "modem access" configurations on pfSense last night I lost the connection with my Viking modem card. I restored two of my prior-working configurations to no avail: pfSense is not able to talk to my modem. I can no longer connect to the internet and I cannot ping my modem's IP address inside pfSense. pfSense, however, sees the adapter on my modem and the modem is syncing with my ISP's DSLAM (pppoE over Ethernet over ATM–my ISP records show the ATM path established).

I can't imagine how any changes I made to pfSense would have caused this problem, as I have reset and reconfigured it several times. I did make some changes to my modem configuration, however, while I had access to it and while I still had internet access through it. I changed its password as well as its date and time settings--these changes should have had no effect on connectivity. I also changed its default access IP address (I did not change its subnet)--again, this change should not have affected connectivity. Additionally, however, I compulsively changed its MTU setting from 1500 to 1492 (located in the same gui screen area as the IP address setting)--I have a feeling that this change may be the culpret--perhaps the modem does not like this latter setting changed when it is in bridge mode. I violated my trusted dictum in making these changes--change only one variable at a time and reboot the system between changes when you are unsure what the results might be.

So I wasted another four hours on this project last night. The Viking card has been a grand time consumer: it is neither well documented nor supported by its manufacturer--who is almost impossible to contact via e-mail--and the card is no longer in production. My next step will be to do a hardware reset of the card--then I will see if I can access it in pfSense and switch it back into bridge mode via telnet. This task will be a bear, as I will have to pull my 1U rack-mounted unit out of its cabinet, open its chassis, and access the reset pins on the Viking card--the card is mounted face down on a 90 degree riser in the chassis, so I may have to pull it out to find its reset pins.

So that is how I will be spending my Thanksgiving weekend.

dyrandz

The steps above is not working using the new version of Ultrasurf >:(.

-Randy

dyrandz

Updated Custom Lists:

65.49.14.0/24
63.215.202.0/24
207.171.185.0/24
207.171.189.0/24
72.21.194.31/31
101.128.162.237/31
175.180.102.77/31
122.120.64.0/24
111.255.130.151/31
1.160.238.30/31
124.12.53.63/31
220.136.246.137/31
70.32.68.127/31
207.171.163.151/31
175.180.85.181/31
129.59.210.101/31
174.24.248.14/31
114.25.182.57/31
114.39.201.136/31
72.21.194.33/31
124.11.175.111/31
61.230.180.191/31
72.21.214.0/24
124.11.174.122/31
207.171.187.117/31
111.254.118.171/31
218.169.205.131/31
112.104.197.114/31
72.21.194.0/24
111.242.22.245/31
220.141.106.42/31
111.250.193.106/31
111.249.177.164/31
114.25.11.175/31
114.39.205.22/31
205.251.242.164/31
72.21.203.148/31
61.223.97.169/31
124.12.53.63/31
65.49.14.0/24
124.11.175.28/31
122.121.19.6/31
65.49.2.13/31
24.11.192.219/31
220.136.246.137/31
63.215.202.6/31
114.40.37.203/31
72.69.176.100/31
114.47.85.88/31
112.105.119.46/31
123.204.125.161/31
184.26.194.70/31
1.169.120.246/31
1.160.0.0/16
1.162.0.0/16
1.168.0.0/16
1.169.0.0/16
1.170.0.0/16
1.171.0.0/16
1.172.0.0/16
1.173.0.0/16
1.174.0.0/16
1.175.0.0/16
114.45.170.0/24
122.124.162.0/24
65.49.14.0/24
61.223.97.0/24
124.12.53.0/24
112.104.197.0/24
124.11.53.0/24
216.13.11.51/31
72.21.211.170/31
122.126.124.13/31
61.230.180.173/31
111.255.145.159/31
101.128.162.237/31
124.11.170.214/31
1.160.120.246/31
124.11.192.176/31
124.12.54.173/31
112.105.77.240/31
220.141.154.81/31
114.47.113.94/31
67.19.60.8/31
64.25.35.201/31
124.12.32.176/31
211.74.191.69/31
64.4.44.80/31
125.230.125.163/31
64.25.35.101/31
175.181.112.39/31
207.171.163.161/31
114.46.161.107/31
63.245.209.31/31
128.120.32.97/31
112.105.87.62/31
216.13.113.51/31
218.165.24.161/31
118.171.193.179/31
70.32.68.127/31
59.112.114.149/31
113.197.194.199/31
59.113.2.250/31
111.242.6.218/31
124.9.197.126/31
114.25.0.2/31
124.11.196.43/31
111.254.211.65/31
66.245.218.3/31
203.73.50.4/31
124.11.224.38/31
1.170.151.113/31
218.167.224.59/31
125.231.91.189/31
218.167.224.113/31
61.230.182.171/31
207.171.163.225/31
203.73.55.210/31
63.226.208.181/31
59.112.116.233/31
207.171.163.3/31
125.232.184.53/31
175.182.30.182/31
114.40.42.214/31
219.80.130.235/31
59.112.115.93/31
218.173.162.58/31
111.255.132.243/31
111.254.214.163/31
111.240.152.228/31
1.169.171.87/31
122.125.36.24/31
111.242.37.253/31
61.230.113.122/31
124.11.189.196/31
218.169.182.134/31
118.160.104.136/31
114.25.7.27/31
207.171.163.195/31
114.47.69.24/31
124.11.224.197/31
114.40.26.207/31
111.250.71.235/31
124.11.229.119/31
114.41.64.36/31
111.242.3.157/31
111.255.138.181/31
114.40.31.114/31
114.37.111.204/31
114.25.19.121/31
111.242.36.94/31
218.167.4.85/31
114.25.1.44/31
70.32.68.127/31
118.96.153.161/31
114.41.25.53/31
122.121.17.23/31
111.255.130.127/31
114.40.40.229/31
111.255.132.2/31
118.171.194.210/31
111.242.8.4/31
118.214.82.70/31
114.39.204.244/31
118.170.208.85/31
125.224.242.61/31
118.169.59.42/31
114.40.117.58/31
107.20.223.211/31
65.49.2.18/31
124.11.227.214/31
124.12.56.57/31
118.169.59.42/31
122.125.1.93/31
61.228.34.89/31
65.49.14.0/24
65.49.2.0/24
118.160.0.0/13
63.216.0.0/13
199.14.0.0/16
199.11.0.0/16
199.12.0.0/15
97.76.0.0/14
220.129.0.0/16
220.130.0.0/15
220.132.0.0/14
220.136.0.0/13
114.32.0.0/12
199.114.216.0/21
118.168.0.0/14
96.9.128.0/18
176.31.59.64/26
46.37.180.160/28
69.61.18.64/26
65.49.14.0/24
87.117.245.128/25
46.22.212.64/27
37.59.199.224/27
121.102.0.0/16
64.120.128.0/17
125.224.0.0/13
149.5.0.0/16
122.120.0.0/13
61.220.0.0/14
61.224.0.0/14
122.118.0.0/16
184.82.0.0/16
124.8.0.0/14
124.12.0.0/16
80.79.125.32/27
46.22.214.0/27
207.195.224.0/20
112.104.0.0/15
212.69.191.192/27
76.191.100.0/22
111.240.0.0/12
59.104.0.0/15
211.74.0.0/17
216.81.80.0/20
69.61.15.0/26
114.24.0.0/14
36.224.0.0/12
66.201.64.0/18
96.9.128.0/18
124.147.64.0/18
175.180.0.0/14
69.61.0.0/17
66.160.128.0/18
66.160.192.0/20
70.48.0.0/13
1.160.0.0/12
212.69.191.32/27
173.208.128.0/17
93.186.169.64/26
80.79.112.32/27
216.198.220.96/27
218.160.0.0/12
61.31.0.0/16
212.69.166.0/27

I was able to stop Ultrasurf 12.07

badul

;D yahooo…thank a lot guys...and especially to mr mcchin...Thanks. You've just made my day...but some of the staff didn't like this... :P hehehehehehehe

haha222

Thank you very much for this topic. It make me reduce my problem and increases time in my life.

johnnybe

@dyrandz:

Updated Custom Lists:
…
I was able to stop Ultrasurf 12.07

Didn't work with Ultrasurf 12.07. Works with Ultrasurf 12.01.

dyrandz

Update pfBlock Lists:

65.49.14.0/24
63.215.202.0/24
207.171.185.0/24
207.171.189.0/24
72.21.194.31/31
101.128.162.237/31
175.180.102.77/31
122.120.64.0/24
111.255.130.151/31
1.160.238.30/31
124.12.53.63/31
220.136.246.137/31
70.32.68.127/31
207.171.163.151/31
175.180.85.181/31
129.59.210.101/31
174.24.248.14/31
114.25.182.57/31
114.39.201.136/31
72.21.194.33/31
124.11.175.111/31
61.230.180.191/31
72.21.214.0/24
124.11.174.122/31
207.171.187.117/31
111.254.118.171/31
218.169.205.131/31
112.104.197.114/31
72.21.194.0/24
111.242.22.245/31
220.141.106.42/31
111.250.193.106/31
111.249.177.164/31
114.25.11.175/31
114.39.205.22/31
205.251.242.164/31
72.21.203.148/31
61.223.97.169/31
124.12.53.63/31
65.49.14.0/24
124.11.175.28/31
122.121.19.6/31
65.49.2.13/31
24.11.192.219/31
220.136.246.137/31
63.215.202.6/31
114.40.37.203/31
72.69.176.100/31
114.47.85.88/31
112.105.119.46/31
123.204.125.161/31
184.26.194.70/31
1.169.120.246/31
1.160.0.0/16
1.162.0.0/16
1.168.0.0/16
1.169.0.0/16
1.170.0.0/16
1.171.0.0/16
1.172.0.0/16
1.173.0.0/16
1.174.0.0/16
1.175.0.0/16
114.45.170.0/24
122.124.162.0/24
65.49.14.0/24
61.223.97.0/24
124.12.53.0/24
112.104.197.0/24
124.11.53.0/24
216.13.11.51/31
72.21.211.170/31
122.126.124.13/31
61.230.180.173/31
111.255.145.159/31
101.128.162.237/31
124.11.170.214/31
1.160.120.246/31
124.11.192.176/31
124.12.54.173/31
112.105.77.240/31
220.141.154.81/31
114.47.113.94/31
67.19.60.8/31
64.25.35.201/31
124.12.32.176/31
211.74.191.69/31
64.4.44.80/31
125.230.125.163/31
64.25.35.101/31
175.181.112.39/31
207.171.163.161/31
114.46.161.107/31
63.245.209.31/31
128.120.32.97/31
112.105.87.62/31
216.13.113.51/31
218.165.24.161/31
118.171.193.179/31
70.32.68.127/31
59.112.114.149/31
113.197.194.199/31
59.113.2.250/31
111.242.6.218/31
124.9.197.126/31
114.25.0.2/31
124.11.196.43/31
111.254.211.65/31
66.245.218.3/31
203.73.50.4/31
124.11.224.38/31
1.170.151.113/31
218.167.224.59/31
125.231.91.189/31
218.167.224.113/31
61.230.182.171/31
207.171.163.225/31
203.73.55.210/31
63.226.208.181/31
59.112.116.233/31
207.171.163.3/31
125.232.184.53/31
175.182.30.182/31
114.40.42.214/31
219.80.130.235/31
59.112.115.93/31
218.173.162.58/31
111.255.132.243/31
111.254.214.163/31
111.240.152.228/31
1.169.171.87/31
122.125.36.24/31
111.242.37.253/31
61.230.113.122/31
124.11.189.196/31
218.169.182.134/31
118.160.104.136/31
114.25.7.27/31
207.171.163.195/31
114.47.69.24/31
124.11.224.197/31
114.40.26.207/31
111.250.71.235/31
124.11.229.119/31
114.41.64.36/31
111.242.3.157/31
111.255.138.181/31
114.40.31.114/31
114.37.111.204/31
114.25.19.121/31
111.242.36.94/31
218.167.4.85/31
114.25.1.44/31
70.32.68.127/31
118.96.153.161/31
114.41.25.53/31
122.121.17.23/31
111.255.130.127/31
114.40.40.229/31
111.255.132.2/31
118.171.194.210/31
111.242.8.4/31
118.214.82.70/31
114.39.204.244/31
118.170.208.85/31
125.224.242.61/31
118.169.59.42/31
114.40.117.58/31
107.20.223.211/31
65.49.2.18/31
124.11.227.214/31
124.12.56.57/31
118.169.59.42/31
122.125.1.93/31
61.228.34.89/31
65.49.14.0/24
65.49.2.0/24
118.160.0.0/13
63.216.0.0/13
199.14.0.0/16
199.11.0.0/16
199.12.0.0/15
97.76.0.0/14
220.129.0.0/16
220.130.0.0/15
220.132.0.0/14
220.136.0.0/13
114.32.0.0/12
199.114.216.0/21
118.168.0.0/14
96.9.128.0/18
176.31.59.64/26
46.37.180.160/28
69.61.18.64/26
65.49.14.0/24
87.117.245.128/25
46.22.212.64/27
37.59.199.224/27
121.102.0.0/16
64.120.128.0/17
125.224.0.0/13
149.5.0.0/16
122.120.0.0/13
61.220.0.0/14
61.224.0.0/14
122.118.0.0/16
184.82.0.0/16
124.8.0.0/14
124.12.0.0/16
80.79.125.32/27
46.22.214.0/27
207.195.224.0/20
112.104.0.0/15
212.69.191.192/27
76.191.100.0/22
111.240.0.0/12
59.104.0.0/15
211.74.0.0/17
216.81.80.0/20
69.61.15.0/26
114.24.0.0/14
36.224.0.0/12
66.201.64.0/18
96.9.128.0/18
124.147.64.0/18
175.180.0.0/14
69.61.0.0/17
66.160.128.0/18
66.160.192.0/20
70.48.0.0/13
1.160.0.0/12
212.69.191.32/27
173.208.128.0/17
93.186.169.64/26
80.79.112.32/27
216.198.220.96/27
218.160.0.0/12
61.31.0.0/16
212.69.166.0/27
64.228.0.0/14
218.187.112.0/20
204.101.111.0/24

johnnybe

@dyrandz:

Update pfBlock Lists:

….

Very nice, dyrandz!
Now it works with Ultrasurf 12.07 using Alias/Rule. But, while Ultrasurf is running, you can't go anywhere. Even browse the pfSense GUI is blocked. LOL.
2.1-BETA0 (amd64)
built on Mon Nov 19 09:10:59 EST 2012
FreeBSD 8.3-RELEASE-p4

Edit 12/02: Running Ultrasurf as Administrator (Windows 7) it can reach the servers. :(

ultrasurf_block.png_thumb

dyrandz

Please follow the instruction at page 1 first post, mcchin wrote it.

mcchin

@m4st3rc1p0:

@mcchin can you send me the apps you are talking.

You can download from link at the post #4

mcchin

Update custome list for Ultrasurf 12.10

65.49.14.0/24
63.215.202.0/24
207.171.185.0/24
207.171.189.0/24
72.21.194.31/31
101.128.162.237/31
175.180.102.77/31
122.120.64.0/24
111.255.130.151/31
1.160.238.30/31
124.12.53.63/31
220.136.246.137/31
70.32.68.127/31
207.171.163.151/31
175.180.85.181/31
129.59.210.101/31
174.24.248.14/31
114.25.182.57/31
114.39.201.136/31
72.21.194.33/31
124.11.175.111/31
61.230.180.191/31
72.21.214.0/24
124.11.174.122/31
207.171.187.117/31
111.254.118.171/31
218.169.205.131/31
112.104.197.114/31
72.21.194.0/24
111.242.22.245/31
220.141.106.42/31
111.250.193.106/31
111.249.177.164/31
114.25.11.175/31
114.39.205.22/31
205.251.242.164/31
72.21.203.148/31
61.223.97.169/31
124.12.53.63/31
65.49.14.0/24
124.11.175.28/31
122.121.19.6/31
65.49.2.13/31
24.11.192.219/31
220.136.246.137/31
63.215.202.6/31
114.40.37.203/31
72.69.176.100/31
114.47.85.88/31
112.105.119.46/31
123.204.125.161/31
184.26.194.70/31
1.169.120.246/31
1.160.0.0/16
1.162.0.0/16
1.168.0.0/16
1.169.0.0/16
1.170.0.0/16
1.171.0.0/16
1.172.0.0/16
1.173.0.0/16
1.174.0.0/16
1.175.0.0/16
114.45.170.0/24
122.124.162.0/24
65.49.14.0/24
61.223.97.0/24
124.12.53.0/24
112.104.197.0/24
124.11.53.0/24
216.13.11.51/31
72.21.211.170/31
122.126.124.13/31
61.230.180.173/31
111.255.145.159/31
101.128.162.237/31
124.11.170.214/31
1.160.120.246/31
124.11.192.176/31
124.12.54.173/31
112.105.77.240/31
220.141.154.81/31
114.47.113.94/31
67.19.60.8/31
64.25.35.201/31
124.12.32.176/31
211.74.191.69/31
64.4.44.80/31
125.230.125.163/31
64.25.35.101/31
175.181.112.39/31
207.171.163.161/31
114.46.161.107/31
63.245.209.31/31
128.120.32.97/31
112.105.87.62/31
216.13.113.51/31
218.165.24.161/31
118.171.193.179/31
70.32.68.127/31
59.112.114.149/31
113.197.194.199/31
59.113.2.250/31
111.242.6.218/31
124.9.197.126/31
114.25.0.2/31
124.11.196.43/31
111.254.211.65/31
66.245.218.3/31
203.73.50.4/31
124.11.224.38/31
1.170.151.113/31
218.167.224.59/31
125.231.91.189/31
218.167.224.113/31
61.230.182.171/31
207.171.163.225/31
203.73.55.210/31
63.226.208.181/31
59.112.116.233/31
207.171.163.3/31
125.232.184.53/31
175.182.30.182/31
114.40.42.214/31
219.80.130.235/31
59.112.115.93/31
218.173.162.58/31
111.255.132.243/31
111.254.214.163/31
111.240.152.228/31
1.169.171.87/31
122.125.36.24/31
111.242.37.253/31
61.230.113.122/31
124.11.189.196/31
218.169.182.134/31
118.160.104.136/31
114.25.7.27/31
207.171.163.195/31
114.47.69.24/31
124.11.224.197/31
114.40.26.207/31
111.250.71.235/31
124.11.229.119/31
114.41.64.36/31
111.242.3.157/31
111.255.138.181/31
114.40.31.114/31
114.37.111.204/31
114.25.19.121/31
111.242.36.94/31
218.167.4.85/31
114.25.1.44/31
70.32.68.127/31
118.96.153.161/31
114.41.25.53/31
122.121.17.23/31
111.255.130.127/31
114.40.40.229/31
111.255.132.2/31
118.171.194.210/31
111.242.8.4/31
118.214.82.70/31
114.39.204.244/31
118.170.208.85/31
125.224.242.61/31
118.169.59.42/31
114.40.117.58/31
107.20.223.211/31
65.49.2.18/31
124.11.227.214/31
124.12.56.57/31
118.169.59.42/31
122.125.1.93/31
61.228.34.89/31
65.49.14.0/24
65.49.2.0/24
118.160.0.0/13
63.216.0.0/13
199.14.0.0/16
199.11.0.0/16
199.12.0.0/15
97.76.0.0/14
220.129.0.0/16
220.130.0.0/15
220.132.0.0/14
220.136.0.0/13
114.32.0.0/12
199.114.216.0/21
118.168.0.0/14
96.9.128.0/18
176.31.59.64/26
46.37.180.160/28
69.61.18.64/26
65.49.14.0/24
87.117.245.128/25
46.22.212.64/27
37.59.199.224/27
121.102.0.0/16
64.120.128.0/17
125.224.0.0/13
149.5.0.0/16
122.120.0.0/13
61.220.0.0/14
61.224.0.0/14
122.118.0.0/16
184.82.0.0/16
124.8.0.0/14
124.12.0.0/16
80.79.125.32/27
46.22.214.0/27
207.195.224.0/20
112.104.0.0/15
212.69.191.192/27
76.191.100.0/22
111.240.0.0/12
59.104.0.0/15
211.74.0.0/17
216.81.80.0/20
69.61.15.0/26
114.24.0.0/14
36.224.0.0/12
66.201.64.0/18
96.9.128.0/18
124.147.64.0/18
175.180.0.0/14
69.61.0.0/17
66.160.128.0/18
66.160.192.0/20
70.48.0.0/13
1.160.0.0/12
212.69.191.32/27
173.208.128.0/17
93.186.169.64/26
80.79.112.32/27
216.198.220.96/27
218.160.0.0/12
61.31.0.0/16
212.69.166.0/27
64.228.0.0/14
218.187.112.0/20
204.101.111.0/24
118.171.236.62/32
183.0.0.0/10
219.80.0.0/15

johnnybe

Thanks a lot, mcchin.