Block internet access for kids, but allow FaceTime (on port 80)

bjokib

Hi everyone. Love pfsense!

I have managed to set up a schedule that blocks outgoing Internet traffic on port 80/443 for my kids devices in a certain timeframe.

However, I would like them to be able to use services like FaceTime anytime, but when the schedule is in effect this is blocked as well as it also uses port 80.

Is it possible somehow to allow facetime / a special URL to go through even though the: block port 80 firewall rule is in effect?

Thanks for any pointers to where I can read up on this, or if someone know how to do it a simple instruction would be fantastic!

Thanks :)

/Bjokib

goa200

Found this on a quick google on apples supportpage. based on this you should be able to create the necessary firewallrules.
https://support.apple.com/lt-lt/HT202078

FaceTime
80 (TCP)
443 (TCP)
3478 till 3497 (UDP)
5223 (TCP)
16384 till 16387 (UDP)
16393 till 16402 (UDP)

iMessage
80 (TCP)
443 (TCP)
5223 (TCP)

johnpoz

If you have the dest fqdn to use in an alias or the IP blocks that would be used… If you allow 80/443 then you would be able to go to anywhere on the internet..

You might be able to do something with the new openappid filtering in snort that pfsense recently rolled out.

https://www.netgate.com/blog/application-detection-on-pfsense-software.html

NogBadTheBad

If you want to use a belt & braces approach Apples ASN numbers are AS714 & AS6185, or that's what ntopng is telling me :)

Looks like they use 17.0.0.0/8 mainly IPv4 wise :-

whois -h whois.radb.net – '-i origin AS714' | grep ^route: should give you all the IPv4 subnets assigned to AS714

whois -h whois.radb.net – '-i origin AS714' | grep ^route6: should give you all the IPv6 subnets assigned to AS714

bjokib

Thanks

So I added a rule that allowed the entire Apple network / 17.0.0.0/8 below the deny rules but that didn't work. The Apple stuff was still blocked.

Not sure if I am thinking about this the correct way. Want to have it as neat as possible, and scheduled.

![Skjermbilde 2018-03-09 kl. 17.39.06.png](/public/imported_attachments/1/Skjermbilde 2018-03-09 kl. 17.39.06.png)
![Skjermbilde 2018-03-09 kl. 17.39.06.png_thumb](/public/imported_attachments/1/Skjermbilde 2018-03-09 kl. 17.39.06.png_thumb)

johnpoz

What do you have in the source? The networks? It doesn't work that way…

Rules are evaluated top down, first rule to trigger wins no other rules are evaluated. Source on lan would never be anything other than lan net.. Dest would be the apple networks.

bjokib

I have set it up like this (see screenshot) but it doesn't work. It blocks all traffic. Even traffic to Apple services / sites.

![Skjermbilde 2018-03-09 kl. 18.16.51.png](/public/imported_attachments/1/Skjermbilde 2018-03-09 kl. 18.16.51.png)
![Skjermbilde 2018-03-09 kl. 18.16.51.png_thumb](/public/imported_attachments/1/Skjermbilde 2018-03-09 kl. 18.16.51.png_thumb)

NogBadTheBad

I'd be tempted to change the protocol in the rule to any.

Otherwise create an any any firewall rule for one of the devices with logging enabled, place it right at the top and try FaceTime.

Then look at the logs or do a packet capture using an iDevice IP address and run it through wireshark.

jahonix

@bjokib:

(see screenshot)

You only allow TCP traffic. If goa200 is correct then you have to allow UDP for Apple IPs as well.
If you're lazy then use protocol *

NogBadTheBad

Just did a packet capture from my guest network and did a Facetime call to myself on the user network.

I can see STUN packets.

xx.xx.xx.xx = my WAN IP address

172.16.3.100 = iphone in guest network

172.16.2.42 = iDevice in user network

=======================================================================================================================================
IPv4 Statistics/Destinations and Ports:
Topic / Item Count Average Min val Max val Rate (ms) Percent Burst rate Burst start
–-------------------------------------------------------------------------------------------------------------------------------------
Destinations and Ports 837 0.0302 100% 0.3100 19.694
xx.xx.xx.xx 14 0.0005 1.67% 0.0300 0.313
UDP 14 0.0005 100.00% 0.0300 0.313
61409 8 0.0003 57.14% 0.0100 19.851
32383 2 0.0001 14.29% 0.0100 0.313
24463 2 0.0001 14.29% 0.0100 0.313
17597 2 0.0001 14.29% 0.0100 0.313
82.132.218.179 8 0.0003 0.96% 0.0100 19.854
UDP 8 0.0003 100.00% 0.0100 19.854
46599 8 0.0003 100.00% 0.0100 19.854
224.0.0.251 6 0.0002 0.72% 0.0100 2.849
UDP 6 0.0002 100.00% 0.0100 2.849
5353 6 0.0002 100.00% 0.0100 2.849
172.16.3.100 379 0.0137 45.28% 0.1200 26.472
UDP 379 0.0137 100.00% 0.1200 26.472
61409 8 0.0003 2.11% 0.0100 19.851
32383 2 0.0001 0.53% 0.0100 0.313
24463 2 0.0001 0.53% 0.0100 0.313
17597 2 0.0001 0.53% 0.0100 0.313
16403 7 0.0003 1.85% 0.0300 0.251
16402 1 0.0000 0.26% 0.0100 14.869
16393 357 0.0129 94.20% 0.1200 26.472
172.16.3.1 6 0.0002 0.72% 0.0100 22.748
NONE 6 0.0002 100.00% 0.0100 22.748
0 6 0.0002 100.00% 0.0100 22.748
172.16.2.42 404 0.0146 48.27% 0.2200 19.724
UDP 404 0.0146 100.00% 0.2200 19.724
16393 404 0.0146 100.00% 0.2200 19.724
17.252.12.103 12 0.0004 1.43% 0.0600 19.636
UDP 12 0.0004 100.00% 0.0600 19.636
3495 12 0.0004 100.00% 0.0600 19.636
17.178.104.99 1 0.0000 0.12% 0.0100 14.732
UDP 1 0.0000 100.00% 0.0100 14.732
16384 1 0.0000 100.00% 0.0100 14.732
17.173.254.223 3 0.0001 0.36% 0.0100 0.158
UDP 3 0.0001 100.00% 0.0100 0.158
16386 3 0.0001 100.00% 0.0100 0.158
17.173.254.222 4 0.0001 0.48% 0.0200 0.158
UDP 4 0.0001 100.00% 0.0200 0.158
16385 2 0.0001 50.00% 0.0100 0.158
16384 2 0.0001 50.00% 0.0100 0.158

Untitled.jpg_thumb

Untitled2.jpg_thumb

NogBadTheBad

Seems to work protocol any.

I'd do the schedule like my second attachment, where 172.16.3.100 is the iDevice IP or an alias that contains multiple IP addresses.

Untitled.jpg_thumb