Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help Me!! I need block download for extensions HTTP , FTP AND….

    Scheduled Pinned Locked Moved pfSense Packages
    13 Posts 5 Posters 9.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      felipeortega
      last edited by

      Hello everyone

      I doubt if it is possible to perform these questions using pfSense:

      1 -Control of what is being done on my network (using proxyweb, etc..) Report and online.com by hostname, IP, MAC Address;

      2- Control of downloads and uploads (HTTP and FTP) by time, size and file extensions;

      3- Block Torrent (P2P) in the entire network;

      If someone how to resolve these questions could explain to me how to proceed?

      "As pessoas raramente reconhecem a oportunidade porque ela surge disfarçada em trabalho árduo."

      1 Reply Last reply Reply Quote 0
      • M
        Metu69salemi
        last edited by

        I think that three packages do all your requirements with flying colors: Squid, Squidguard(or lightsquid) & Snort. Search these and you'll end up finding a lot of info

        1 Reply Last reply Reply Quote 0
        • F
          felipeortega
          last edited by

          Thanks for the help friend

          and the control extension by ftp?
          example

          I forbid you to download zip and exe extensions are made via FTP the rest is released

          "As pessoas raramente reconhecem a oportunidade porque ela surge disfarçada em trabalho árduo."

          1 Reply Last reply Reply Quote 0
          • M
            Metu69salemi
            last edited by

            I think that you should wait answers from other ones. I can't tell how to configure this, but it might need l4 and l7 all together

            1 Reply Last reply Reply Quote 0
            • F
              felipeortega
              last edited by

              ???

              There is the possibility of blocking the ftp squid? If you have to make these settings?

              "As pessoas raramente reconhecem a oportunidade porque ela surge disfarçada em trabalho árduo."

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Squid is an http proxy it will not help you with ftp.
                You would need to use something like ftp-proxy, although I don't think that allows file type control.

                Steve

                Edit: Looks like I'm wrong.  :-[
                Squid does have some ftp features.

                1 Reply Last reply Reply Quote 0
                • F
                  felipeortega
                  last edited by

                  Seeking information on the internet I see many people saying it's possible but have not found how.
                  I found this site I tried the process but without success
                  http://www.labtestproject.com/linux_network/step_by_step_enable_ftp_on_squid_proxy_in_linux_fedora_10.html
                  PfSense does not exist in a way to accomplish this process?

                  "As pessoas raramente reconhecem a oportunidade porque ela surge disfarçada em trabalho árduo."

                  1 Reply Last reply Reply Quote 0
                  • J
                    jigpe
                    last edited by

                    You cannot block ftp file extensions. Solutions 1: disable default port to any and just open ports 80/443/53. 2: Use traffic shaper to  slow down the download.

                    Hope this help.

                    jigp

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      Which part of those instructions could you not do?
                      Are you usign the squid 3 package?

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • F
                        felipeortega
                        last edited by

                        Thanks for the replies

                        Yes I have to block extension and it worked!
                        I got through the layer 7
                        I am now with the following difficulty
                        How to Block UltraSurf program
                        there is a PAT to include Layer 7 to block?
                        To block success got to block port 443 but that brings me more trouble than I want

                        "As pessoas raramente reconhecem a oportunidade porque ela surge disfarçada em trabalho árduo."

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          Just to confirm: you can block ftp download of specific file types with Squid 3?

                          Ultrasurf is designed to bypass firewalls so it's very difficult to block. It presumably connects to a proxy server using port 443 since that is almost always unblocked for SSL. The connection is encrypted so it's very hard to use layer 7 filtering. Why are you blocking it?

                          Steve

                          Edit: The first hit on Google throws up some useful info though.

                          1 Reply Last reply Reply Quote 0
                          • marcellocM
                            marcelloc
                            last edited by

                            @jigpe:

                            Solutions 1: disable default port to any and just open ports 80/443/53. 2: Use traffic shaper to  slow down the download.

                            Hope this help.

                            jigp

                            Do not open any port, including 53.

                            your network use your local dns and a proxy server.

                            set access to 53  only from dns server

                            Create a rule to allow traffic for proxy server port 3128 if you are using squid.
                            Create a l7 rule to cathc p2p traffic with 1kbps
                            if you block p2p, the client will try to use your squid. if you limit p2p the client will try to use it.

                            And at squid.conf edit safe ports to allow only ports you know 80,443, etc exlcude the port range 1024-65535

                            Treinamentos de Elite: http://sys-squad.com

                            Help a community developer! ;D

                            1 Reply Last reply Reply Quote 0
                            • F
                              felipeortega
                              last edited by

                              Steve thanks for the help

                              As you know the squid3 not confirmed! The lock so I could do for l7.

                              About UltraSurf had already read that document but so far the only way I found to be successful in blocking was blocking all networks.
                              99.224.0.0/11
                              63.241.6.64/28
                              63.242.0.0/16
                              63.240.0.0/15
                              218.168.0.0/16
                              125.176.0.0/12
                              122.118.0.0/16
                              69.64.144.0/20
                              211.109.128.0/24
                              59.120.0.0/14
                              59.112.0.0/13
                              97.112.0.0/13
                              71.192.0.0/12
                              219.137.112.224/27
                              203.112.80.0/20
                              162.138.0.0/16
                              170.201.0.0/16
                              156.40.0.0/16
                              61.224.0.0/14
                              61.220.0.0/14
                              59.120.0.0/14
                              59.112.0.0/13
                              220.136.0.0/13
                              220.132.0.0/14
                              220.130.0.0/15
                              220.129.0.0/16
                              118.168.0.0/16
                              122.120.0.0/13
                              118.168.0.0/16
                              122.120.0.0/13
                              71.208.0.0/12
                              61.231.0.0/16
                              218.160.0.0/16
                              61.62.74.0/24
                              72.25.64.0/18
                              66.245.192.0/18
                              64.62.138.0/25
                              64.62.128.0/17
                              125.224.0.0/13

                              Work but is not an efficient method because tomorrow there may be a new network.

                              "As pessoas raramente reconhecem a oportunidade porque ela surge disfarçada em trabalho árduo."

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.