Cara blok aplikasi ultra surf

maruboy

Alo teman2

ada yang tau cara, ngeblok aplikasi ultra surf di pfsense ? mohon info nya yah
Terima Kasih

ipoelnet

@maruboy:

Alo teman2

ada yang tau cara, ngeblok aplikasi ultra surf di pfsense ? mohon info nya yah
Terima Kasih

unt Ultrasurf (https 443), dan skypi - ip acak, lihat di post http://forum.pfsense.org/index.php/topic,18815.msg106475.html#msg106475

This post will explain a quick and dirt method to block Skype for some user, but avoid to block access to https urls not defined as FQDN.

This post assume that your client have non direct Internet access and must pass trough your Squid Proxy Server to have an external connection.
This Post assume your local network is 192.168.1.0/24
This post assume you want to give SKYPE access to IPs from 192.168.1.100 to 192.168.1.200 and you want to give internet access to all your network.

Obviously you MUST change the IPs based on your REAL network configuration.

In the following configuration, I’m going to create some ACL to define my networks, the skype connection method, skype connections destinations and create a sort of WhiteList that could fill in with some exceptions to avoid https connection problems.

The WhiteList file is /etc/squid/https_url_allowed and you can fill in with a single ip address for line, example :

proxy:~ # cat /etc/squid/https_url_allowed

aaa.bbb.ccc.ddd
eee.fff.ggg.hhh
iii.jjj.kkk.lll
mmm.nnn.ooo.ppp
qqq.rrr.sss.ttt
uuu.vvv.www.xxx

proxy:~ #

All the following lines is in the main SquidProxy Configuration file, usually /etc/squid/squid.conf

# Declare an ACL to catch ALL
   acl all src 0.0.0.0/0.0.0.0
   # Define an ACL to define my local network
   acl mynetworks src 192.168.1.0/24
   # Define an ACL to have some IPs that can connect to SKYPE
   acl skype_users src 192.168.1.100-192.168.1.200
   # Define a CONNECT acl for the CONNECT method
   acl CONNECT method CONNECT

# Define an ACL for the URLs composed only of numbers, not FQDN
   acl skype_url url_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+

# Define an ACL for use URLs composed only of numbers, not FQDN
   acl https_url_allowed url_regex -i “/etc/squid/https_url_allowed”

# Allow SKYPE access for the group “skype_users”
   http_access allow CONNECT skype_url skype_users

# Allow https access for IP Addresses defined in “/etc/squid/https_url_allowed”
   http_access allow CONNECT https_url_allowed

# Deny Access to SKYPE and all other
   http_access deny CONNECT skype_url

# Allow Internet access to all “mynetworks”
   http_access allow mynetworks

# And finally deny all other access from this proxy
   http_access deny all

At this point you can restart squid an check if all works with :

/etc/init.d/squid restart

Hope this help

Bye
Riccardo

Trims,

111ichael

klo squidnya transparent gimana cara ngaturnya??