Help Me!! I need block download for extensions HTTP , FTP AND….



  • Hello everyone

    I doubt if it is possible to perform these questions using pfSense:

    1 -Control of what is being done on my network (using proxyweb, etc..) Report and online.com by hostname, IP, MAC Address;

    2- Control of downloads and uploads (HTTP and FTP) by time, size and file extensions;

    3- Block Torrent (P2P) in the entire network;

    If someone how to resolve these questions could explain to me how to proceed?



  • I think that three packages do all your requirements with flying colors: Squid, Squidguard(or lightsquid) & Snort. Search these and you'll end up finding a lot of info



  • Thanks for the help friend

    and the control extension by ftp?
    example

    I forbid you to download zip and exe extensions are made via FTP the rest is released



  • I think that you should wait answers from other ones. I can't tell how to configure this, but it might need l4 and l7 all together



  • ???

    There is the possibility of blocking the ftp squid? If you have to make these settings?


  • Netgate Administrator

    Squid is an http proxy it will not help you with ftp.
    You would need to use something like ftp-proxy, although I don't think that allows file type control.

    Steve

    Edit: Looks like I'm wrong.  :-[
    Squid does have some ftp features.



  • Seeking information on the internet I see many people saying it's possible but have not found how.
    I found this site I tried the process but without success
    http://www.labtestproject.com/linux_network/step_by_step_enable_ftp_on_squid_proxy_in_linux_fedora_10.html
    PfSense does not exist in a way to accomplish this process?



  • You cannot block ftp file extensions. Solutions 1: disable default port to any and just open ports 80/443/53. 2: Use traffic shaper to  slow down the download.

    Hope this help.

    jigp


  • Netgate Administrator

    Which part of those instructions could you not do?
    Are you usign the squid 3 package?

    Steve



  • Thanks for the replies

    Yes I have to block extension and it worked!
    I got through the layer 7
    I am now with the following difficulty
    How to Block UltraSurf program
    there is a PAT to include Layer 7 to block?
    To block success got to block port 443 but that brings me more trouble than I want


  • Netgate Administrator

    Just to confirm: you can block ftp download of specific file types with Squid 3?

    Ultrasurf is designed to bypass firewalls so it's very difficult to block. It presumably connects to a proxy server using port 443 since that is almost always unblocked for SSL. The connection is encrypted so it's very hard to use layer 7 filtering. Why are you blocking it?

    Steve

    Edit: The first hit on Google throws up some useful info though.



  • @jigpe:

    Solutions 1: disable default port to any and just open ports 80/443/53. 2: Use traffic shaper to  slow down the download.

    Hope this help.

    jigp

    Do not open any port, including 53.

    your network use your local dns and a proxy server.

    set access to 53  only from dns server

    Create a rule to allow traffic for proxy server port 3128 if you are using squid.
    Create a l7 rule to cathc p2p traffic with 1kbps
    if you block p2p, the client will try to use your squid. if you limit p2p the client will try to use it.

    And at squid.conf edit safe ports to allow only ports you know 80,443, etc exlcude the port range 1024-65535



  • Steve thanks for the help

    As you know the squid3 not confirmed! The lock so I could do for l7.

    About UltraSurf had already read that document but so far the only way I found to be successful in blocking was blocking all networks.
    99.224.0.0/11
    63.241.6.64/28
    63.242.0.0/16
    63.240.0.0/15
    218.168.0.0/16
    125.176.0.0/12
    122.118.0.0/16
    69.64.144.0/20
    211.109.128.0/24
    59.120.0.0/14
    59.112.0.0/13
    97.112.0.0/13
    71.192.0.0/12
    219.137.112.224/27
    203.112.80.0/20
    162.138.0.0/16
    170.201.0.0/16
    156.40.0.0/16
    61.224.0.0/14
    61.220.0.0/14
    59.120.0.0/14
    59.112.0.0/13
    220.136.0.0/13
    220.132.0.0/14
    220.130.0.0/15
    220.129.0.0/16
    118.168.0.0/16
    122.120.0.0/13
    118.168.0.0/16
    122.120.0.0/13
    71.208.0.0/12
    61.231.0.0/16
    218.160.0.0/16
    61.62.74.0/24
    72.25.64.0/18
    66.245.192.0/18
    64.62.138.0/25
    64.62.128.0/17
    125.224.0.0/13

    Work but is not an efficient method because tomorrow there may be a new network.


Locked