Blocking Internet access via specific browser
-
Using Snort
alert ip any any <> any any (msg:"appID Opera/Opera Mini"; appid: opera opera_mini; classtype:policy-violation; sid:13465012; rev:1;)
F.
-
Using Snort
I'd rather leave those Opera Mini people browse whatever they wish than break everyone else on the way…
-
Opera Mini people are a dangerous kind… ;)
"I just want to know whether it is possible to block "X-Forwarded-For" traffic in pfsense? If so then how to do it :)"
You can use this rule too...
alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS (msg:"No Proxied or Random Agent Spoofer"; content:"X-Forwarded-For"; http_header; classtype:policy-violation; sid:13465013; rev:1;)
-
Seriously, have you investigated some saner approaches? Like, blocking outgoing DNS except for whitelisted servers via firewall rules?
-
Seriously, have you investigated some saner approaches? Like, blocking outgoing DNS except for whitelisted servers via firewall rules?
I tried blocking the DNS queries by adding the following rules
Rule 1
Action: Pass
Protocol: TCP/UDP
Src: Any
Src Port: Any
Dest: Lan Address
Port : 53 (DNS)Rule 2
Action: Block
Protocol: TCP/UDP
Src: Any
Src Port: Any
Dest: Any
Dest Port: 53 (DNS)When I enforce these rules I am able to browse the internet normally, but opera mini is still managing to bypass. Either I have done mistake in adding the rules or else opera mini has some really great proxies :(
-
How is Opera getting around the firewall? Just because an IP checker comes up with a different value?? If you have a web proxy set up, surely you've blocked LAN access to 80/443 so that nothing can get out past the filter? Have you configured WPAD on pfSense? Opera appears to support WPAD.
-
@KOM:
How is Opera getting around the firewall? Just because an IP checker comes up with a different value?? If you have a web proxy set up, surely you've blocked LAN access to 80/443 so that nothing can get out past the filter?
Ok let me explain how Opera and Opera Mini works. The browser has a setting called turbo mode, Opera browser has the option to choose between normal browsing and turbo mode browsing. When in normal mode, it passes through the pfsense, but when turbo mode is enabled it tunnels the traffic through one of its own proxy servers by setting "X-Forwarded-For: IP Address" to serve webpages quickly. On the other hand Opera Mini is by default turbo mode enabled, so it always bypasses the firewall by connecting to its proxy server.
@KOM:
Have you configured WPAD on pfSense? Opera appears to support WPAD.
I haven't configured WPAD on pfsense. I will try to configure WPAD and check how the Opera mini works.
-
Does Turbo mode actually do anything? How is fetching content from some proxy somewhere over the Ether faster than fetching it from its original source?? Whatever.
https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid
In a nutshell:
- create wpad.dat:
function FindProxyForURL(url,host)
{
return "PROXY your.proxy.ip.address:3128";
}- copy wpad.dat to /usr/local/www
- copy /usr/local/www/wpad.dat to wpad.da, wspad.dat and proxy.pac
- create WPAD DNS entry that points to your pfSense box
- create DHCP option 252 for WPAD and point it to http://pfsense.host.name/wpad.dat
- ensure Autodetect Proxy is set in your browser settings
-
I'm unsure what you're asking here. Do you want to block all access from opera-mini? Or just the sites blocked for other browsers?
Since Opera mini is not the exclusive browser on any device (as far as I know) blocking it completely may be acceptable for you.Steve
-
@KOM:
Does Turbo mode actually do anything? How is fetching content from some proxy somewhere over the Ether faster than fetching it from its original source?? Whatever.
https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid
In a nutshell:
- create wpad.dat:
function FindProxyForURL(url,host)
{
return "PROXY your.proxy.ip.address:3128";
}- copy wpad.dat to /usr/local/www
- copy /usr/local/www/wpad.dat to wpad.da, wspad.dat and proxy.pac
- create WPAD DNS entry that points to your pfSense box
- create DHCP option 252 for WPAD and point it to http://pfsense.host.name/wpad.dat
- ensure Autodetect Proxy is set in your browser settings
I will try this and reply back to the forum :)
-
I'm unsure what you're asking here. Do you want to block all access from opera-mini? Or just the sites blocked for other browsers?
Since Opera mini is not the exclusive browser on any device (as far as I know) blocking it completely may be acceptable for you.Steve
Sir, I am using pfsense+nsfilter package for URL filtering and YouTube education. I was testing whether filtering is working properly in the desktop/laptops with IE,Chrome, Firefox, Safari and Opera and results were satisfactory. I tested the same in Smartphones and Tablets with the same set of browsers. Apart from Opera Mini every other browser is passing through the firewall and filtering rules are enforced, but in Opera Mini it is completely bypassing the firewall. When I check "What is my IP" in IE, Chrome etc it shows the IP of pfsense, but in Opera mini it is showing different IP. When I went through some docs I found out that Opera Mini appends the header with "X-Forwarded-For" with some different client IP. It is serving webpages through different proxy servers.
Have a look at what it is capable of doing
http://www.theregister.co.uk/2009/11/24/opera_mini_and_china/
-
Definitely block 80 and 443 on LAN. Force everything to use the proxy or else they don't get to talk.
Thanks for the article. I now see that the main purpose of their proxy is to lower the bandwidth required, which may or may not speed up browsing but should lower bandwidth used on mobile.
-
Since the Opera proxy is not intended to bypass filtering, that's not its primary purpose, it might be possible to get a list of its proxy IP addresses and just filter all requests to them. That's if disabling Opera-mini completely is an acceptable solution to you.
Steve
-
@KOM:
How is Opera getting around the firewall? Just because an IP checker comes up with a different value??
It does not use the DHCP assigned DNS server, and it does not use the DHCP assigned proxy either. Kinda obvious when you Google it.
-
Kinda obvious when you Google it.
Why should I waste my precious time typing like a sucker when I've got people like you to keep me informed? ;D
-
I'm unsure what you're asking here. Do you want to block all access from opera-mini? Or just the sites blocked for other browsers?
Since Opera mini is not the exclusive browser on any device (as far as I know) blocking it completely may be acceptable for you.Steve
I believe blocking Opera Mini is part of the solution, their might be many other browsers which work in similar way.
-
@KOM:
Definitely block 80 and 443 on LAN. Force everything to use the proxy or else they don't get to talk.
Thanks for the article. I now see that the main purpose of their proxy is to lower the bandwidth required, which may or may not speed up browsing but should lower bandwidth used on mobile.
Sir I am little confused here, blocking port 80/443 with anti-lockout rule disabled or with anti-lockout rule enabled? :-\
-
blocking port 80/443 with anti-lockout rule disabled or with anti-lockout rule enabled?
Keep the anti-lockout rule enabled and put the blocks below it.
-
@KOM:
blocking port 80/443 with anti-lockout rule disabled or with anti-lockout rule enabled?
Keep the anti-lockout rule enabled and put the blocks below it.
It is still managing to pass the firewall.
I have attached the screenshots of the rules I have entered, kindly let me know if I have erred in the rules.After the blocking of port 80/443 I have added IP of our DNS server and blocked rest of them in the next rule.
I have configured NAT or you can say I am Port forwarding the traffic to 3128(HTTP) and 3129(HTTPS)
