• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Help Me!! I need block download for extensions HTTP , FTP AND….

Scheduled Pinned Locked Moved pfSense Packages
13 Posts 5 Posters 9.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    felipeortega
    last edited by Aug 4, 2011, 8:23 PM Aug 4, 2011, 8:21 PM

    Hello everyone

    I doubt if it is possible to perform these questions using pfSense:

    1 -Control of what is being done on my network (using proxyweb, etc..) Report and online.com by hostname, IP, MAC Address;

    2- Control of downloads and uploads (HTTP and FTP) by time, size and file extensions;

    3- Block Torrent (P2P) in the entire network;

    If someone how to resolve these questions could explain to me how to proceed?

    "As pessoas raramente reconhecem a oportunidade porque ela surge disfarçada em trabalho árduo."

    1 Reply Last reply Reply Quote 0
    • M
      Metu69salemi
      last edited by Aug 4, 2011, 8:24 PM

      I think that three packages do all your requirements with flying colors: Squid, Squidguard(or lightsquid) & Snort. Search these and you'll end up finding a lot of info

      1 Reply Last reply Reply Quote 0
      • F
        felipeortega
        last edited by Aug 5, 2011, 1:59 PM

        Thanks for the help friend

        and the control extension by ftp?
        example

        I forbid you to download zip and exe extensions are made via FTP the rest is released

        "As pessoas raramente reconhecem a oportunidade porque ela surge disfarçada em trabalho árduo."

        1 Reply Last reply Reply Quote 0
        • M
          Metu69salemi
          last edited by Aug 5, 2011, 7:49 PM

          I think that you should wait answers from other ones. I can't tell how to configure this, but it might need l4 and l7 all together

          1 Reply Last reply Reply Quote 0
          • F
            felipeortega
            last edited by Aug 10, 2011, 12:15 PM

            ???

            There is the possibility of blocking the ftp squid? If you have to make these settings?

            "As pessoas raramente reconhecem a oportunidade porque ela surge disfarçada em trabalho árduo."

            1 Reply Last reply Reply Quote 0
            • S
              stephenw10 Netgate Administrator
              last edited by Aug 10, 2011, 1:01 PM Aug 10, 2011, 12:55 PM

              Squid is an http proxy it will not help you with ftp.
              You would need to use something like ftp-proxy, although I don't think that allows file type control.

              Steve

              Edit: Looks like I'm wrong.  :-[
              Squid does have some ftp features.

              1 Reply Last reply Reply Quote 0
              • F
                felipeortega
                last edited by Aug 10, 2011, 2:52 PM

                Seeking information on the internet I see many people saying it's possible but have not found how.
                I found this site I tried the process but without success
                http://www.labtestproject.com/linux_network/step_by_step_enable_ftp_on_squid_proxy_in_linux_fedora_10.html
                PfSense does not exist in a way to accomplish this process?

                "As pessoas raramente reconhecem a oportunidade porque ela surge disfarçada em trabalho árduo."

                1 Reply Last reply Reply Quote 0
                • J
                  jigpe
                  last edited by Aug 14, 2011, 2:01 AM

                  You cannot block ftp file extensions. Solutions 1: disable default port to any and just open ports 80/443/53. 2: Use traffic shaper to  slow down the download.

                  Hope this help.

                  jigp

                  1 Reply Last reply Reply Quote 0
                  • S
                    stephenw10 Netgate Administrator
                    last edited by Aug 14, 2011, 10:06 AM

                    Which part of those instructions could you not do?
                    Are you usign the squid 3 package?

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • F
                      felipeortega
                      last edited by Aug 15, 2011, 11:35 AM

                      Thanks for the replies

                      Yes I have to block extension and it worked!
                      I got through the layer 7
                      I am now with the following difficulty
                      How to Block UltraSurf program
                      there is a PAT to include Layer 7 to block?
                      To block success got to block port 443 but that brings me more trouble than I want

                      "As pessoas raramente reconhecem a oportunidade porque ela surge disfarçada em trabalho árduo."

                      1 Reply Last reply Reply Quote 0
                      • S
                        stephenw10 Netgate Administrator
                        last edited by Aug 15, 2011, 12:08 PM

                        Just to confirm: you can block ftp download of specific file types with Squid 3?

                        Ultrasurf is designed to bypass firewalls so it's very difficult to block. It presumably connects to a proxy server using port 443 since that is almost always unblocked for SSL. The connection is encrypted so it's very hard to use layer 7 filtering. Why are you blocking it?

                        Steve

                        Edit: The first hit on Google throws up some useful info though.

                        1 Reply Last reply Reply Quote 0
                        • M
                          marcelloc
                          last edited by Aug 15, 2011, 3:55 PM

                          @jigpe:

                          Solutions 1: disable default port to any and just open ports 80/443/53. 2: Use traffic shaper to  slow down the download.

                          Hope this help.

                          jigp

                          Do not open any port, including 53.

                          your network use your local dns and a proxy server.

                          set access to 53  only from dns server

                          Create a rule to allow traffic for proxy server port 3128 if you are using squid.
                          Create a l7 rule to cathc p2p traffic with 1kbps
                          if you block p2p, the client will try to use your squid. if you limit p2p the client will try to use it.

                          And at squid.conf edit safe ports to allow only ports you know 80,443, etc exlcude the port range 1024-65535

                          Treinamentos de Elite: http://sys-squad.com

                          Help a community developer! ;D

                          1 Reply Last reply Reply Quote 0
                          • F
                            felipeortega
                            last edited by Aug 18, 2011, 6:58 PM Aug 17, 2011, 7:45 PM

                            Steve thanks for the help

                            As you know the squid3 not confirmed! The lock so I could do for l7.

                            About UltraSurf had already read that document but so far the only way I found to be successful in blocking was blocking all networks.
                            99.224.0.0/11
                            63.241.6.64/28
                            63.242.0.0/16
                            63.240.0.0/15
                            218.168.0.0/16
                            125.176.0.0/12
                            122.118.0.0/16
                            69.64.144.0/20
                            211.109.128.0/24
                            59.120.0.0/14
                            59.112.0.0/13
                            97.112.0.0/13
                            71.192.0.0/12
                            219.137.112.224/27
                            203.112.80.0/20
                            162.138.0.0/16
                            170.201.0.0/16
                            156.40.0.0/16
                            61.224.0.0/14
                            61.220.0.0/14
                            59.120.0.0/14
                            59.112.0.0/13
                            220.136.0.0/13
                            220.132.0.0/14
                            220.130.0.0/15
                            220.129.0.0/16
                            118.168.0.0/16
                            122.120.0.0/13
                            118.168.0.0/16
                            122.120.0.0/13
                            71.208.0.0/12
                            61.231.0.0/16
                            218.160.0.0/16
                            61.62.74.0/24
                            72.25.64.0/18
                            66.245.192.0/18
                            64.62.138.0/25
                            64.62.128.0/17
                            125.224.0.0/13

                            Work but is not an efficient method because tomorrow there may be a new network.

                            "As pessoas raramente reconhecem a oportunidade porque ela surge disfarçada em trabalho árduo."

                            1 Reply Last reply Reply Quote 0
                            13 out of 13
                            • First post
                              13/13
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                              This community forum collects and processes your personal information.
                              consent.not_received