How to block HTTPS website?



  • Hi All,

    Anybody know how to block HTTPS base sites. (ex. https://facebook.com) without blocking only 443 port. because It block all the https base site. I want to block only mail sites.

    Thanks in Advance



  • So you are wanting to block websites like gmail, yahoo mail, hotmail, etc.?



  • Now I want to block https://facebook.com



  • Have you looked into setting up Squid?



  • SQUID would be best option, but low learning curve edition could be
    facebook cidr alias as destination network with https trafic


  • Netgate Administrator

    Squid can't proxy https traffic. You have to block all https to force people to use the proxy.

    You could block all https and then allow it only to sites you need.

    As Metu69salemi suggested, create an alias containing all of facebook's IPs and block that.

    Steve



  • can you suggest me step by step, because pfsense new for me. ;)


  • Netgate Administrator

    First of all find out what IP addresses facebook is using. Some breif googling shows possibly it is this:
    69.63.176.1-69.63.191.255 and 204.15.20.1-204.15.23.255
    That may be a bit over inclusive but it will do to start you can always add more or refine it to less later.
    Edit: These aren't sufficient, see post below.

    In the web GUI go to Firewall: Aliases: and click the + to add a new one:

    Click Save and then Apply.

    Now go to Firewall: Rules: and select whichever interface you need the block on. Now add a new rule at the top of the list:


    Save and apply.

    Test. You may find that there are other IPs Facebook uses. You can edit the Alias to add them.

    Steve



  • Quite easy… even if it needs some maintenance sometimes.

    1. Get the info about the Facebook public IPs
    2. Create an alias that contains all the Facebook networks
    3. Create a firewall rule that block that traffic

    For the details:
    Facebook IPs
    I got them from ARIN (http://whois.arin.net/rest/org/THEFA-3.html, click on related networks). They are:
    69.171.224.0/19
    74.119.76.0/22
    204.15.20.0/22
    66.220.144.0/20
    69.63.176.0/20
    173.252.64.0/18

    Alias
    Just create an Alias:
    Name: Facebook_Network (for example)
    Type: Network(s)
    Networks: All the above networks. Pay attention to the CIDR (/XX in the above entries) that must be specified with the dropdown-list

    Firewall rule
    Once you save and apply the alias, go on firewall, rules, LAN, add new rule. Just specify:
    Action: Block
    Interface: LAN
    Protocol: Any
    Source: Any
    Destination: Singole host or alias, then type Facebook_Network (or the name of the alias you typed before)
    Description: Blocks Facebook Networks (or whatever you want to type here)

    Save the rule.
    After that you should put that rule in the FIRST row of the table in order to avoid that before this rule other "pass" rules are applied. For this, just select the rule you just created (checkbox), then click the "<" arrow of the first rule in the table, this will put your "Blocks Facebook Networks" on top of the list.

    That's it.

    If you close and reopen all your browsers you should not be able to open facebook. If you are bored about the "keep alive" connections, just:

    1. Force a "reload filter" from the "Status=>Filter reload" menu;
    2. If it still persists (keep alive connections), reset the states (Diagnostic=>States=>Reset states)

    I hope everything is clear and easy…

    Michele


  • Netgate Administrator

    Yes, your list of IPs looks much better!  ;)
    Also happy to see our instructions seem to match up.

    Steve



  • but your answer is better, I don't have any screenshot… :D
    we were answering in the same time...



  • Glad if any of three same kind suggestions may help



  • an alias to apps.facebook.com can do the job also.



  • @stephenw10:

    Squid can't proxy https traffic. You have to block all https to force people to use the proxy.

    You could block all https and then allow it only to sites you need.

    As Metu69salemi suggested, create an alias containing all of facebook's IPs and block that.

    Steve

    Squid can indeed proxy HTTPS traffic. I think what you refer to is due to the design of the HTTPS protocol it is not possible (with any software) to setup a transparent HTTPS proxy.


  • Netgate Administrator

    Hmm, I stand corrected.
    I would think, though, that in this case it wouldn't be useful since as you say it can't be transparent.
    This raises some interesting questions about the end-to-end encryption of https.  :-
    More reading required….

    Steve



  • Squid can indeed proxy HTTPS traffic. I think what you refer to is due to the design of the HTTPS protocol it is not possible (with any software) to setup a transparent HTTPS proxy.

    It could be done, but requires some 'nasty' configuration.

    You have to create a local CA, install CA certificate on users machines and forward all https to your local web server with proxy mode, just like man-in-the-middle attack.

    Imspector has this options to proxy msn_https communication and create self-signed certificates to match common-name client check.



  • Hi All,

    Thank you so much for suggestions.

    thx.



  • Well….

    i have recently discover on linux how to block sites per contain so any string that contains facebook, will be block

    iptables -A FORWARD -p tcp -m string --string "facebook" --algo kmp -j DROP

    i works for me... i do not know if with ipfw will  have some simillar parameter ... i hope seo because im about to migrate to pfsense

    @sudo:

    Hi All,

    Anybody know how to block HTTPS base sites. (ex. https://facebook.com) without blocking only 443 port. because It block all the https base site. I want to block only mail sites.

    Thanks in Advance


  • Netgate Administrator

    pfSense uses pf(4) not ipfw. Though it does use ipfw for the captive portal function.
    I think you may out of luck translating that from iptables.  :-\

    Steve


  • Rebel Alliance Global Moderator

    "This raises some interesting questions about the end-to-end encryption of https."

    Depends on how your doing it – by default its just a Tunnel that squid passes the packets through - it has no understanding of what is inside the tunnel.  Which is why it can be difficult to filter on https urls, etc.

    here is a good read on how squid can handle https and or any other protocol you want to allow through the proxy
    http://wiki.squid-cache.org/Features/HTTPS



  • @stephenw10:

    pfSense uses pf(4) not ipfw. Though it does use ipfw for the captive portal function.
    I think you may out of luck translating that from iptables.  :-\

    Steve

    If you don't mind setting up the rules manually, you can activate the portal and then create your own ipfw rules. The only trick is to make the last step in your rules skip over the portal rules (assuming you don't want captive portal functionality).


Locked