Allow only Viber connection, and block all other connection



  • Hi!

    Can I ask, on how I can set our Pfsense to allow only Viber connection, and block all other connections?

    TIA!

    ast


  • Netgate Administrator

    It would be difficult to do that since it looks like it requires port 443. Once you've opened that many other services will be able to use it.
    You could attempt to block other applications using OpenAppID/Snort. I would not be confident you could block everything though.

    Steve



  • Hi!

    Thanks for replying!

    I think I was able to achieve this via allow all viber connections (via viber's ip range, and ports thats needs to be open), and then followed by block all connections from the specified group of devices.

    My problem now is that messaging is ok, receiving photos is ok, but sending photos won't push thru....I need to know whats causing the "blocking' of sending photos. Hope someone can help.

    Thanks!

    Regards,

    Alvin



  • Further testing show, we can only send text Viber messages. voice calls, video calls, and sharing of photos won't go thru our Pfsense. Would really appreciate it if anyone know what we need to "allow" in order to have a full functioning Viber.

    TIA!

    ast


  • Netgate Administrator

    Enable logging on the block rule then run a test and check the firewall logs to see what is blocked.

    I would imagine Viber use a very larger number of IPs and that they may change often which makes that difficult.

    Steve



  • @stephenw10 Hi!

    Thanks for the tip of logging the block rule, but can i know how to check the log of the block rule? Or how to enable logging?

    TIA!

    ast


  • Netgate Administrator

    Enabling logging is an option in the firewall rule. Edit the rule and scroll down to 'Extra Options. Check Log packets that are handled by this rule.

    Traffic that is logged appears int he firewall log: Status > System Logs > Firewall tab.

    Steve



  • @stephenw10 Hi Steve!

    Thanks a lot for the info! Will try this out when I get back to the office.

    ast



  • I was able to remote access our Pfsense box, I was able to enable the logging before :) is there a way to view the firewall log in a way that only the concerned rule will only show?


  • Netgate Administrator

    Not directly from the GUI. However you could get more detailed by testing from one particular client and then filtering by that source IP.

    Steve



  • @stephenw10 Hi!

    Yes I was able to filter by only the concerned source IP, was hoping that I can sort for only the concerned blocked rule to narrow down.

    ast


  • Netgate Administrator

    What other rules to you have blocking traffic from that client? If I understood correctly only traffic you are passing with your rule to allow Viber should pass. Everything else from that client will be hitting the block rule so all blocked traffic from that IP in the firewall log should be hitting that rule.

    Steve



  • Yes, only Viber connection are being passed, all other connections are blocked.

    As of now, Viber messages are passing thru with no problems.

    Only problem: Viber photo/video sharing, and Viber voice at video calls are not passing thru.

    I can see Viber connections to amazonaws.com and cloudfront.net which i already added to the allowed connections. Just don't know if this is the needed open connection, and don't know if I'm doing it right. :(


  • Netgate Administrator

    Well, as I said earlier, it's going to be difficult to achieve this using only firewall rules.

    Viber likely has a large CDN to host that sort of content with a very large number of IPs. If they use port 443 (which they claim to need) it will be hard to prevent clients using that for general web browsing etc.

    Steve



  • As of now, I think was able to achieve this firewall rule/s....what I did was allow the target devices to connect to Amazonaws.com IP Range, firewall alias URL's....so allowing connections to Viber.com, allowing connections to Amazonaws, then blocking everything else. The tricky part is Amazonaws got a couple of ASN.

    Thanks a lot for your help Stephen!


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy