Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bypass rules for Netflix AWS servers?

    Scheduled Pinned Locked Moved Firewalling
    22 Posts 4 Posters 6.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      FlashEngineer
      last edited by

      Not easy to just allow device since netflix is use on mobile devices and desktop machines.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        To log a rule, edit it and check the little box that log near bottom of the form.

        logrule.png
        logrule.png_thumb

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • F
          FlashEngineer
          last edited by

          Checked, and somehow pfsense fails to filter out rule, maybe there's a limit on how many networks you can have?

          One specific example I checked from firewall logs:

          S:  10.1.1.2:45900   D:  50.112.127.218:443   TCP:S

          In my alias rules there is one line:

          50.112.0.0/17

          /17 = 50.112.0.1 to 50.112.127.254, clearly that IP falls into the range.

          So I chalk this up to either too large of alias network list or pfsense bug.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Would seem odd for something to get missed, is that entry at the end of the list where might not of gotten loaded like you said if the alias list is too long?

            Where did you come up with the /17, I show amazon owning that whole /16

            NetRange:      50.112.0.0 - 50.112.255.255
            CIDR:          50.112.0.0/16
            NetName:        AMAZON-EC2-USWESTOR

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • F
              FlashEngineer
              last edited by

              @johnpoz:

              Would seem odd for something to get missed, is that entry at the end of the list where might not of gotten loaded like you said if the alias list is too long?

              Where did you come up with the /17, I show amazon owning that whole /16

              NetRange:      50.112.0.0 - 50.112.255.255
              CIDR:          50.112.0.0/16
              NetName:        AMAZON-EC2-USWESTOR

              Line 2550 out of 3409 in the lastest version of this alias I'm testing.

              So not really near the end.

              I use https://ipinfo.io/ and filter by ASN after I find an IP address that's not part of current list of ASN.

              Not sure another way to do this but it seems hopeless as 3400+ networks is crazy enough.

              I'm pretty sure netflix doesn't use all of them to host, but problem is finding which ones are used for Canada.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                well you could log the traffic and just open up the networks that are being blocked for netflix.

                Still a bit hazy on what your trying to do exactly?  Why do you want these devices to only use netflix and nothing else?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • F
                  FlashEngineer
                  last edited by

                  @johnpoz:

                  well you could log the traffic and just open up the networks that are being blocked for netflix.

                  Still a bit hazy on what your trying to do exactly?  Why do you want these devices to only use netflix and nothing else?

                  It's dynamic though, that's why another post on reddit someone used ASN to filter out the whole range of networks.

                  I don't want to block it, I just want any device streaming netflix to not use a VPN gateway, obviously because netflix blocks any VPN usage.

                  It's really horrible how people that want to use netflix, will have to disable their security for internet use so that netflix satisfies the content providers aging concepts of geographical rules.

                  It would be simpler for netflix just to match the billing country with access of that account so people could use a VPN in same country.

                  What's stopping me from hosting my pfsense firewall as a OpenVPN server for friends/family who aren't in Canada to watch netflix?

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    "obviously because netflix blocks any VPN usage."

                    They don't block all vpn usage, they only block vpn providers they know about ;)

                    How exactly are you using your vpn as security?  You feel that your isp is spying on you?  So you want to tunnel your traffic past your isp?  Your willing to not hide your netflix traffic it seems ;)

                    So why don't you just tunnel the specific dest you want to hide from your isp down the vpn.. This would be a simpler solution then try and map out the huge CDN that could be used to serve netflix and not send that down the tunnel.

                    I could see using a vpn if your on network that is open, say a hotspot or something..  But I really don't get the desire to hide all your traffic from your isp.  Seems your making your life difficult for what exactly?  Hiding that you go to pfsense.org from your isp??

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • F
                      FlashEngineer
                      last edited by

                      Snowden

                      :)

                      It's not that I have something to hide, but I don't want my traffic/logs/generated data to be analyzed if not now, but in the future by my government and at that time deemed to be flagged for investigation.

                      Lots of good info on here:

                      http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html

                      If I'm at a hotspot, I would just use my pfsense VPN to login and not bother with the other providers as even my VPN server has VPN gateway.

                      I don't believe in the concept of "If you have nothing to hide, then why hide it"

                      @johnpoz:

                      "obviously because netflix blocks any VPN usage."

                      They don't block all vpn usage, they only block vpn providers they know about ;)

                      How exactly are you using your vpn as security?  You feel that your isp is spying on you?  So you want to tunnel your traffic past your isp?  Your willing to not hide your netflix traffic it seems ;)

                      So why don't you just tunnel the specific dest you want to hide from your isp down the vpn.. This would be a simpler solution then try and map out the huge CDN that could be used to serve netflix and not send that down the tunnel.

                      I could see using a vpn if your on network that is open, say a hotspot or something..  But I really don't get the desire to hide all your traffic from your isp.  Seems your making your life difficult for what exactly?  Hiding that you go to pfsense.org from your isp??

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        You do understand your just handing over all your traffic to the vpn provider ;)  And they very well could be handing over all of that info to your gov, or the ninjas in black..

                        Your not really hiding what your doing with a vpn, your just moving the unencrypted endpoint of your traffic to a different spot.. Seems to me your going to a lot of headache for no real reason to be honest.

                        Most of your traffic should be encrypted these days anyway.. So all your isp would know is that you talked to this IP via https for example.. What you did in that tunnel would be anyones guess.

                        As to if the gov wanted to spy on you.. Pretty sure they would just infect your machines and get all the info they wanted right from the source..

                        I am all for the encryption of traffic to and from 2 people..  For example your isp doesn't really need to know what you ordered off amazon just by sniffing the traffic at their router..  But trying to hide the fact that you went to amazon from your isp is a bit over the top if you ask me.

                        Good luck mapping out the thousands of networks that neflix might use to serve up their content..  Which most likely changes by the hour..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • A
                          AR15USR
                          last edited by

                          @OP: You wouldn't happen to be running Squid would you?


                          2.6.0-RELEASE

                          1 Reply Last reply Reply Quote 0
                          • F
                            FlashEngineer
                            last edited by

                            @johnpoz:

                            You do understand your just handing over all your traffic to the vpn provider ;)  And they very well could be handing over all of that info to your gov, or the ninjas in black..

                            Your not really hiding what your doing with a vpn, your just moving the unencrypted endpoint of your traffic to a different spot.. Seems to me your going to a lot of headache for no real reason to be honest.

                            Most of your traffic should be encrypted these days anyway.. So all your isp would know is that you talked to this IP via https for example.. What you did in that tunnel would be anyones guess.

                            As to if the gov wanted to spy on you.. Pretty sure they would just infect your machines and get all the info they wanted right from the source..

                            I am all for the encryption of traffic to and from 2 people..  For example your isp doesn't really need to know what you ordered off amazon just by sniffing the traffic at their router..  But trying to hide the fact that you went to amazon from your isp is a bit over the top if you ask me.

                            Good luck mapping out the thousands of networks that neflix might use to serve up their content..  Which most likely changes by the hour..

                            It's more for real time decryption of traffic.  NSA is able to decrypt even some OpenVPN and most HTTPS traffic.  Going through a VPN at least there's a bit more encryption using 128AES or whatever encryption they offer.

                            1 Reply Last reply Reply Quote 0
                            • F
                              FlashEngineer
                              last edited by

                              @AR15USR:

                              @OP: You wouldn't happen to be running Squid would you?

                              Nope nothing.

                              1 Reply Last reply Reply Quote 0
                              • J
                                JasonJoel
                                last edited by

                                @FlashEngineer:

                                @johnpoz:

                                You do understand your just handing over all your traffic to the vpn provider ;)  And they very well could be handing over all of that info to your gov, or the ninjas in black..

                                Your not really hiding what your doing with a vpn, your just moving the unencrypted endpoint of your traffic to a different spot.. Seems to me your going to a lot of headache for no real reason to be honest.

                                Most of your traffic should be encrypted these days anyway.. So all your isp would know is that you talked to this IP via https for example.. What you did in that tunnel would be anyones guess.

                                As to if the gov wanted to spy on you.. Pretty sure they would just infect your machines and get all the info they wanted right from the source..

                                I am all for the encryption of traffic to and from 2 people..  For example your isp doesn't really need to know what you ordered off amazon just by sniffing the traffic at their router..  But trying to hide the fact that you went to amazon from your isp is a bit over the top if you ask me.

                                Good luck mapping out the thousands of networks that neflix might use to serve up their content..  Which most likely changes by the hour..

                                It's more for real time decryption of traffic.  NSA is able to decrypt even some OpenVPN and most HTTPS traffic.  Going through a VPN at least there's a bit more encryption using 128AES or whatever encryption they offer.

                                While I'm not at liberty give details on what can/can't be decrypted - I can assure you VPN can, and is, decrypted at times - and it certainly doesn't take the NSA's resources to do it.

                                1 Reply Last reply Reply Quote 0
                                • A
                                  AR15USR
                                  last edited by

                                  While I'm not at liberty give details on what can/can't be decrypted - I can assure you VPN can, and is, decrypted at times - and it certainly doesn't take the NSA's resources to do it.

                                  Not doubting you, but I'd like to see proof of that…


                                  2.6.0-RELEASE

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    JasonJoel
                                    last edited by

                                    Go to blackhat this summer, there are always interesting proof of concepts there.

                                    The issue is that it isn't practical for most to do in brute force. It is much easier to crack/get the VPN password from a client and then decrypt natively via interception. Obviously that is a multi-step / multi-factor circumvention of the encrypted tunnel, but still possible.

                                    VPN is still useful, and still overall effective. It just isn't 100% guaranteed to be such if you have a determined attacker. But for anything else it can hold up (unless they compromise one of your VPN endpoint/clients directly… ;) ).

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.