Blocking Ultrasurf with pfSense 2.0
-
I just trying to use firewall rule to blocking the ultrasurf and it seem like working. If you need to blocking the ultrasurf, you can follow my instruction and test it out to see it work with you pfsense firewall or not. Now I'm using pfblocker because it will be more easy to add more block server in the future.
1. Install pfBlocker.
2. At the pfBlocker General page,
a) enable pfblocker.
b) Inbound Interface(s): LAN
c) Inbound deny action: Block
d) Outbound Interface(s): LAN
e) Outbound deny action: Block3. save this setting.
4. At the Lists, create a new alias by click on the "+" button.
a) Alias Name: Ultrasurf
b) List Description: Block Ultrasurf
c) Lists: empty
d) List Action: Deny both
c) Update frequency: Never
d)Custom list (CIDR):
65.49.14.0/24
63.215.202.0/24
207.171.185.0/24
207.171.189.0/24
72.21.194.31/31
101.128.162.237/31
175.180.102.77/31
122.120.64.0/24
111.255.130.151/31
1.160.238.30/31
124.12.53.63/31
220.136.246.137/31
70.32.68.127/31
207.171.163.151/31
175.180.85.181/31
129.59.210.101/31
174.24.248.14/31
114.25.182.57/31
114.39.201.136/31
72.21.194.33/31
124.11.175.111/31
61.230.180.191/31
72.21.214.0/24
124.11.174.122/31
207.171.187.117/31
111.254.118.171/31
218.169.205.131/31
112.104.197.114/31
72.21.194.0/24
111.242.22.245/31
220.141.106.42/31
111.250.193.106/31
111.249.177.164/31
114.25.11.175/31
114.39.205.22/31
205.251.242.164/31
72.21.203.148/31
61.223.97.169/31
124.12.53.63/31
65.49.14.0/24
124.11.175.28/31
122.121.19.6/31
65.49.2.13/31
24.11.192.219/31
220.136.246.137/31
63.215.202.6/31
114.40.37.203/31
72.69.176.100/31
114.47.85.88/31
112.105.119.46/31
123.204.125.161/31
184.26.194.70/31
1.169.120.246/31
1.160.0.0/16
1.162.0.0/16
1.168.0.0/16
1.169.0.0/16
1.170.0.0/16
1.171.0.0/16
1.172.0.0/16
1.173.0.0/16
1.174.0.0/16
1.175.0.0/16
114.45.170.0/24
122.124.162.0/24
65.49.14.0/24
61.223.97.0/24
124.12.53.0/24
112.104.197.0/24
124.11.53.0/24
216.13.11.51/31
72.21.211.170/31
122.126.124.13/31
61.230.180.173/31
111.255.145.159/31
101.128.162.237/31
124.11.170.214/31
1.160.120.246/31
124.11.192.176/31
124.12.54.173/31
112.105.77.240/31
220.141.154.81/31
114.47.113.94/31
67.19.60.8/31
64.25.35.201/31
124.12.32.176/31
211.74.191.69/31
64.4.44.80/31
125.230.125.163/31
64.25.35.101/31
175.181.112.39/31
207.171.163.161/31
114.46.161.107/315. save this settings.
6. Go to Firewall: Rule
7. After the pfBlockerpfUltrasurf rule, add new rule
a) Proto: TCP/UDP
b) Source: LAN address
c) Port: *
d) Destination: LAN address
e) Port: 53 (DNS)
f) Gateway: *8. Add another new rule after the rule on step 7.
a) Proto: TCP/UDP
b) Source: *
c) Port: *
d) Destination: !LAN address
e) Port: 53 (DNS)
f) Gateway: *9. Apply this new settings.
Ultrasurf 11.04 is blocking by the rules above. Hope this can help you. We should share all the new ultrasurf server in here so our pfsense can block ultrasurf at the gateway firewall level.
-
No need to involve pfBlocker. On Firewall > Aliases, click the "^" at the bottom to make a bulk-add alias. Just paste that CIDR list into the box, give it a name, and save.
-
Hi Jimp,
Yes, you are right, but in the future if I need added 50 IP, I need 1 by 1 added it. Cannot paste at the bottom of the existing IP.
-
latest blocking ultrasurf server list for UltraSurf 12.01
65.49.14.0/24
63.215.202.0/24
207.171.185.0/24
207.171.189.0/24
72.21.194.31/31
101.128.162.237/31
175.180.102.77/31
122.120.64.0/24
111.255.130.151/31
1.160.238.30/31
124.12.53.63/31
220.136.246.137/31
70.32.68.127/31
207.171.163.151/31
175.180.85.181/31
129.59.210.101/31
174.24.248.14/31
114.25.182.57/31
114.39.201.136/31
72.21.194.33/31
124.11.175.111/31
61.230.180.191/31
72.21.214.0/24
124.11.174.122/31
207.171.187.117/31
111.254.118.171/31
218.169.205.131/31
112.104.197.114/31
72.21.194.0/24
111.242.22.245/31
220.141.106.42/31
111.250.193.106/31
111.249.177.164/31
114.25.11.175/31
114.39.205.22/31
205.251.242.164/31
72.21.203.148/31
61.223.97.169/31
124.12.53.63/31
65.49.14.0/24
124.11.175.28/31
122.121.19.6/31
65.49.2.13/31
24.11.192.219/31
220.136.246.137/31
63.215.202.6/31
114.40.37.203/31
72.69.176.100/31
114.47.85.88/31
112.105.119.46/31
123.204.125.161/31
184.26.194.70/31
1.169.120.246/31
1.160.0.0/16
1.162.0.0/16
1.168.0.0/16
1.169.0.0/16
1.170.0.0/16
1.171.0.0/16
1.172.0.0/16
1.173.0.0/16
1.174.0.0/16
1.175.0.0/16
114.45.170.0/24
122.124.162.0/24
65.49.14.0/24
61.223.97.0/24
124.12.53.0/24
112.104.197.0/24
124.11.53.0/24
216.13.11.51/31
72.21.211.170/31
122.126.124.13/31
61.230.180.173/31
111.255.145.159/31
101.128.162.237/31
124.11.170.214/31
1.160.120.246/31
124.11.192.176/31
124.12.54.173/31
112.105.77.240/31
220.141.154.81/31
114.47.113.94/31
67.19.60.8/31
64.25.35.201/31
124.12.32.176/31
211.74.191.69/31
64.4.44.80/31
125.230.125.163/31
64.25.35.101/31
175.181.112.39/31
207.171.163.161/31
114.46.161.107/31
63.245.209.31/31
128.120.32.97/31
112.105.87.62/31
216.13.113.51/31
218.165.24.161/31
118.171.193.179/31
70.32.68.127/31
59.112.114.149/31
113.197.194.199/31
59.113.2.250/31
111.242.6.218/31
124.9.197.126/31
114.25.0.2/31
124.11.196.43/31
111.254.211.65/31
66.245.218.3/31
203.73.50.4/31
124.11.224.38/31
1.170.151.113/31
218.167.224.59/31
125.231.91.189/31
218.167.224.113/31
61.230.182.171/31
207.171.163.225/31
203.73.55.210/31
63.226.208.181/31
59.112.116.233/31
207.171.163.3/31
125.232.184.53/31
175.182.30.182/31
114.40.42.214/31
219.80.130.235/31
59.112.115.93/31
218.173.162.58/31
111.255.132.243/31
111.254.214.163/31
111.240.152.228/31
1.169.171.87/31
122.125.36.24/31
111.242.37.253/31
61.230.113.122/31
124.11.189.196/31
218.169.182.134/31
118.160.104.136/31
114.25.7.27/31
207.171.163.195/31
114.47.69.24/31
124.11.224.197/31
114.40.26.207/31
111.250.71.235/31
124.11.229.119/31
114.41.64.36/31
111.242.3.157/31
111.255.138.181/31
114.40.31.114/31 -
Hi All,
I have develop a window service to kill the ultrasurf once it found running on your pc. You can download it from here https://sites.google.com/site/tonersmartchip/Anti-UltraSurf.zip?attredirects=0&d=1. Currently it support Windows XP and Windows 7. Windows Vista not yet tested.
Cheers~! :D
-
Hello there,
Your list seems to include IP addresses from amazon.com network. Blocking these causes access problems to amazon.com and related sites.
Specifically those addresses within 72.21.192.0/19, 207.171.160.0/19 networks.
:)
-
Hi josekym,
You can see I just block the 72.21.194.31/31 and 207.171.163.151/31 with the CIDR format /31. I only blocking certain amazon.com https server for public usages. With this setting, I believe you still can surf amazon.com without interruption.
Update list
65.49.14.0/24
63.215.202.0/24
207.171.185.0/24
207.171.189.0/24
72.21.194.31/31
101.128.162.237/31
175.180.102.77/31
122.120.64.0/24
111.255.130.151/31
1.160.238.30/31
124.12.53.63/31
220.136.246.137/31
70.32.68.127/31
207.171.163.151/31
175.180.85.181/31
129.59.210.101/31
174.24.248.14/31
114.25.182.57/31
114.39.201.136/31
72.21.194.33/31
124.11.175.111/31
61.230.180.191/31
72.21.214.0/24
124.11.174.122/31
207.171.187.117/31
111.254.118.171/31
218.169.205.131/31
112.104.197.114/31
72.21.194.0/24
111.242.22.245/31
220.141.106.42/31
111.250.193.106/31
111.249.177.164/31
114.25.11.175/31
114.39.205.22/31
205.251.242.164/31
72.21.203.148/31
61.223.97.169/31
124.12.53.63/31
65.49.14.0/24
124.11.175.28/31
122.121.19.6/31
65.49.2.13/31
24.11.192.219/31
220.136.246.137/31
63.215.202.6/31
114.40.37.203/31
72.69.176.100/31
114.47.85.88/31
112.105.119.46/31
123.204.125.161/31
184.26.194.70/31
1.169.120.246/31
1.160.0.0/16
1.162.0.0/16
1.168.0.0/16
1.169.0.0/16
1.170.0.0/16
1.171.0.0/16
1.172.0.0/16
1.173.0.0/16
1.174.0.0/16
1.175.0.0/16
114.45.170.0/24
122.124.162.0/24
65.49.14.0/24
61.223.97.0/24
124.12.53.0/24
112.104.197.0/24
124.11.53.0/24
216.13.11.51/31
72.21.211.170/31
122.126.124.13/31
61.230.180.173/31
111.255.145.159/31
101.128.162.237/31
124.11.170.214/31
1.160.120.246/31
124.11.192.176/31
124.12.54.173/31
112.105.77.240/31
220.141.154.81/31
114.47.113.94/31
67.19.60.8/31
64.25.35.201/31
124.12.32.176/31
211.74.191.69/31
64.4.44.80/31
125.230.125.163/31
64.25.35.101/31
175.181.112.39/31
207.171.163.161/31
114.46.161.107/31
63.245.209.31/31
128.120.32.97/31
112.105.87.62/31
216.13.113.51/31
218.165.24.161/31
118.171.193.179/31
70.32.68.127/31
59.112.114.149/31
113.197.194.199/31
59.113.2.250/31
111.242.6.218/31
124.9.197.126/31
114.25.0.2/31
124.11.196.43/31
111.254.211.65/31
66.245.218.3/31
203.73.50.4/31
124.11.224.38/31
1.170.151.113/31
218.167.224.59/31
125.231.91.189/31
218.167.224.113/31
61.230.182.171/31
207.171.163.225/31
203.73.55.210/31
63.226.208.181/31
59.112.116.233/31
207.171.163.3/31
125.232.184.53/31
175.182.30.182/31
114.40.42.214/31
219.80.130.235/31
59.112.115.93/31
218.173.162.58/31
111.255.132.243/31
111.254.214.163/31
111.240.152.228/31
1.169.171.87/31
122.125.36.24/31
111.242.37.253/31
61.230.113.122/31
124.11.189.196/31
218.169.182.134/31
118.160.104.136/31
114.25.7.27/31
207.171.163.195/31
114.47.69.24/31
124.11.224.197/31
114.40.26.207/31
111.250.71.235/31
124.11.229.119/31
114.41.64.36/31
111.242.3.157/31
111.255.138.181/31
114.40.31.114/31
114.37.111.204/31
114.25.19.121/31
111.242.36.94/31
218.167.4.85/31
114.25.1.44/31
70.32.68.127/31
118.96.153.161/31
114.41.25.53/31
122.121.17.23/31
111.255.130.127/31
114.40.40.229/31
111.255.132.2/31
118.171.194.210/31
111.242.8.4/31
118.214.82.70/31
114.39.204.244/31
118.170.208.85/31
125.224.242.61/31
118.169.59.42/31
114.40.117.58/31
107.20.223.211/31
65.49.2.18/31
124.11.227.214/31
124.12.56.57/31
118.169.59.42/31
122.125.1.93/31
61.228.34.89/31 -
Well, I did use your unmodified IP address list on my firewall rule here, and it causes random page timeouts while accessing amazon.com. I just removed the offending addresses to restore normal access for our users going to amazon.com. :)
-
Hi there! I've followed the method of mcchin. It worked a couple of days but now, ultrasurf users can again connect to its servers. Can I see the procedure on how to block ultrasurf just by using the Alias in firewall without the use of pfblocker.
-
hi this maybe late but here it goes, in order to use the firewall for pfsense first you have to add all these ip in a container and give t a name. You can do this through the use of aliases. So from the the Firewall Menu click aliases and this icon ^ (bulk import aliases from the list), all you have to do is paste all these ip and save.
after saving go to your firewall and add the following rules for me i use this one:1. Rules
2. Add rules Lan
3. My action is Reject
4. Protocol is any
5. Source is any
6. Destination is : Type (Single hosts or aliases)
7. Type in your created aliases (from my experience it auto completes after writing a couple of couple of letters)
8. I check the log so I can monitor if its working or not
9. Hit save or give it a description.Thats's it
-
I prefer to use Snort for this.
Create a separate rule file that includes the ultrasurf rule copied from "policy.rules" of Emerging Threats. Now, add a new Snort sensor on LAN interface that has just this rule enabled. Check the box to "block" the offenders on the source side for 1 hour, 3 hours, 1 day or 1 week as you find suitable.
Since Ultrasurf is a policy violation and offenders ideally should be dealt with at Layer 8 (corporate / HR policy), this will discourage people from using Ultrasurf altogether and administration will always remain in the know of them.
-
I have develop a service run in Window XP and win7 to kill the ultrasurf once found it was running. If you interest this software, I can send to you and help me to test.
-
sir mcchin what Action and what Inteface on this steps
7. After the pfBlockerpfUltrasurf rule, add new rule
a) Proto: TCP/UDP
b) Source: LAN address
c) Port: *
d) Destination: LAN address
e) Port: 53 (DNS)
f) Gateway: *8. Add another new rule after the rule on step 7.
a) Proto: TCP/UDP
b) Source: *
c) Port: *
d) Destination: !LAN address
e) Port: 53 (DNS)
f) Gateway: *9. Apply this new settings.
-
sir mcchin what Action and what Inteface on this steps
7. After the pfBlockerpfUltrasurf rule, add new rule
a) Proto: TCP/UDP
b) Source: LAN address
c) Port: *
d) Destination: LAN address
e) Port: 53 (DNS)
f) Gateway: *8. Add another new rule after the rule on step 7.
a) Proto: TCP/UDP
b) Source: *
c) Port: *
d) Destination: !LAN address
e) Port: 53 (DNS)
f) Gateway: *9. Apply this new settings.
is it working ? Just when we block 53 is it okey ?
-
@mcchin can you send me the apps you are talking.
-
I prefer to use Snort for this.
Create a separate rule file that includes the ultrasurf rule copied from "policy.rules" of Emerging Threats. Now, add a new Snort sensor on LAN interface that has just this rule enabled. Check the box to "block" the offenders on the source side for 1 hour, 3 hours, 1 day or 1 week as you find suitable.
Since Ultrasurf is a policy violation and offenders ideally should be dealt with at Layer 8 (corporate / HR policy), this will discourage people from using Ultrasurf altogether and administration will always remain in the know of them.
I agree with codemarauder on this one, I created a Snort rule and I have been able to block those users that use UltraSurf, it works pretty great.
Here is the rule:
# Rules by Jorge Talamas alert udp $HOME_NET any -> any 53 (msg:"DNS Request for www.hfdxjshm.info"; content:"|03|www|08|hfdxjshm|04|info"; metadata:service dns; nocase; classtype:policy-violation; sid:1232313; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"DNS Request for www.rvzjon.info"; content:"|03|www|06|rvzjon|04|info"; metadata:service dns; nocase; classtype:policy-violation; sid:1232314; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"DNS Request for www.ukwprf.info"; content:"|03|www|06|ukwprf|04|info"; metadata:service dns; nocase; classtype:policy-violation; sid:1232315; rev:1;) # Rule by SERPRO-Recife Security Team alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"Possible External Ultrasurf DNS Query"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:policy-violation; detection_filter:track by_src, count 1, seconds 5; sid:1000059; rev:2;) # IP POOL by Jorge Talamas var ULTRASURF_POOL [1.160.0.0/16,1.161.122.228/32,1.162.0.0/16,1.163.233.171/32,1.168.0.0/13,12.48.83.220/32,24.11.192.218/31,36.227.0.15/32,36.227.75.242/32,36.229.197.181/32,36.232.154.1/32,46.22.213.8/32,46.22.214.10/32,46.37.175.62/32,46.37.180.174/32,46.105.135.99/32,46.105.135.123/32,46.105.151.18/32,46.105.224.154/32,58.138.34.200/32,59.104.160.0/19,59.112.0.0/15,59.115.0.0/16,59.121.0.0/16,61.31.128.0/19,61.62.0.0/17,61.62.192.0/18,61.216.0.0/17,61.216.128.0/18,61.223.0.0/16,61.224.0.0/16,61.227.0.0/16,61.228.0.0/16,61.230.0.0/15,63.215.202.0/24,63.223.86.79/32,63.223.100.58/32,63.223.101.44/32,63.223.102.73/32,63.223.103.77/32,63.223.124.119/32,63.226.208.180/31,63.245.209.30/31,64.4.44.80/31,64.25.35.100/31,64.25.35.200/31,64.37.73.8/32,64.120.138.55/32,64.120.206.154/32,64.191.20.238/32,64.191.124.239/32,65.49.2.12/31,65.49.14.0/24,65.175.93.68/32,65.175.93.72/32,65.175.93.76/32,66.201.71.143/32,66.201.71.145/32,66.245.218.2/31,67.19.60.8/31,68.65.210.20/32,68.65.238.190/32,69.61.28.24/32,69.61.28.51/32,69.162.176.238/32,69.162.177.246/32,69.162.177.250/32,69.162.179.250/32,69.162.180.238/32,69.162.180.244/32,69.162.180.250/32,69.162.181.241/32,69.162.181.248/32,69.162.182.250/32,69.162.183.246/32,69.162.185.239/32,69.162.185.247/32,69.162.186.245/32,69.162.187.239/32,69.162.189.240/32,69.162.189.246/32,69.162.190.247/32,69.162.191.248/32,70.32.68.126/31,72.21.194.0/24,72.21.203.148/31,72.21.211.170/31,72.21.214.0/24,72.69.176.100/31,74.80.131.100/32,74.80.152.203/32,74.80.167.179/32,74.80.181.109/32,74.127.24.68/32,74.127.52.39/32,74.127.52.42/32,76.191.99.99/32,76.191.102.131/32,76.191.103.56/32,76.191.105.5/32,76.191.105.20/32,76.191.114.32/32,80.79.125.53/32,91.121.253.92/32,95.143.33.144/32,95.143.33.179/32,96.9.133.170/32,96.9.174.174/32,101.128.162.236/31,111.240.0.0/14,111.248.0.0/13,112.104.0.0/17,112.104.128.0/18,112.104.192.0/19,112.105.64.0/18,112.105.128.0/19,112.105.192.0/18,113.197.194.198/31,114.24.0.0/14,114.36.0.0/14,114.40.0.0/13,118.160.0.0/15,118.165.0.0/16,118.166.0.0/15,118.168.0.0/14,122.118.0.0/16,122.120.0.0/14,122.124.162.0/24,122.125.0.0/16,122.126.0.0/15,123.204.74.103/32,123.204.96.0/19,123.205.224.0/19,124.8.72.25/32,124.9.128.0/17,124.11.53.0/24,124.11.128.0/17,124.12.0.0/17,125.224.0.0/15,125.227.0.0/16,125.229.0.0/16,125.230.0.0/16,125.231.91.188/31,125.232.0.0/15,126.126.189.185/32,128.120.32.96/31,129.59.210.100/31,149.5.113.168/32,173.208.227.209/32,173.212.193.131/32,173.212.193.142/32,173.212.193.156/32,174.24.248.14/31,175.180.64.0/18,175.180.128.0/17,175.181.64.0/18,175.181.128.0/17,175.182.0.0/17,184.26.194.70/31,184.82.51.116/32,184.82.113.169/32,184.82.137.235/32,184.82.145.69/32,184.82.205.136/32,195.43.51.21/32,199.114.216.57/32,199.114.217.39/32,199.114.219.83/32,199.114.219.93/32,199.217.100.54/32,199.217.101.32/32,199.217.101.61/32,199.217.102.49/32,203.67.0.0/19,203.67.116.201/32,203.73.50.4/31,203.73.55.210/31,203.73.192.0/18,205.251.242.164/31,207.195.235.35/32,207.195.235.195/32,208.117.17.239/32,208.117.18.242/32,208.117.19.250/32,208.117.22.249/32,208.117.23.246/32,208.117.26.239/32,208.117.27.241/32,208.117.29.246/32,208.117.29.250/32,208.117.31.240/32,210.64.96.0/19,211.74.96.0/19,211.74.191.68/31,212.69.166.19/32,212.69.169.54/32,212.69.191.38/32,212.69.191.237/32,216.13.11.50/31,216.13.113.50/31,216.15.183.18/32,216.15.183.27/32,216.198.215.3/32,216.198.220.120/32,216.198.220.126/32,218.160.0.0/14,218.165.0.0/16,218.166.0.0/15,218.168.0.0/14,218.173.0.0/16,218.174.0.0/15,219.80.130.234/31,219.84.192.0/18,219.85.128.0/17,220.100.55.208/32,220.129.0.0/16,220.131.0.0/16,220.136.0.0/16,220.138.0.0/16,220.141.0.0/16,220.142.0.0/15] alert tcp $HOME_NET any -> $ULTRASURF_POOL 443 (msg:"Ultrasurf Connection Detected"; flow:established; classtype:policy-violation; sid:5000000; rev:3;) alert tcp $HOME_NET any -> $ULTRASURF_POOL 10000 (msg:"Ultrasurf Connection Detected"; flow:established; classtype:policy-violation; sid:5000001; rev:3;)Have fun!
-
Super it is working thank you sou much.
I prefer to use Snort for this.
Create a separate rule file that includes the ultrasurf rule copied from "policy.rules" of Emerging Threats. Now, add a new Snort sensor on LAN interface that has just this rule enabled. Check the box to "block" the offenders on the source side for 1 hour, 3 hours, 1 day or 1 week as you find suitable.
Since Ultrasurf is a policy violation and offenders ideally should be dealt with at Layer 8 (corporate / HR policy), this will discourage people from using Ultrasurf altogether and administration will always remain in the know of them.
I agree with codemarauder on this one, I created a Snort rule and I have been able to block those users that use UltraSurf, it works pretty great.
Here is the rule:
# Rules by Jorge Talamas alert udp $HOME_NET any -> any 53 (msg:"DNS Request for www.hfdxjshm.info"; content:"|03|www|08|hfdxjshm|04|info"; metadata:service dns; nocase; classtype:policy-violation; sid:1232313; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"DNS Request for www.rvzjon.info"; content:"|03|www|06|rvzjon|04|info"; metadata:service dns; nocase; classtype:policy-violation; sid:1232314; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"DNS Request for www.ukwprf.info"; content:"|03|www|06|ukwprf|04|info"; metadata:service dns; nocase; classtype:policy-violation; sid:1232315; rev:1;) # Rule by SERPRO-Recife Security Team alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"Possible External Ultrasurf DNS Query"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:policy-violation; detection_filter:track by_src, count 1, seconds 5; sid:1000059; rev:2;) # IP POOL by Jorge Talamas var ULTRASURF_POOL [1.160.0.0/16,1.161.122.228/32,1.162.0.0/16,1.163.233.171/32,1.168.0.0/13,12.48.83.220/32,24.11.192.218/31,36.227.0.15/32,36.227.75.242/32,36.229.197.181/32,36.232.154.1/32,46.22.213.8/32,46.22.214.10/32,46.37.175.62/32,46.37.180.174/32,46.105.135.99/32,46.105.135.123/32,46.105.151.18/32,46.105.224.154/32,58.138.34.200/32,59.104.160.0/19,59.112.0.0/15,59.115.0.0/16,59.121.0.0/16,61.31.128.0/19,61.62.0.0/17,61.62.192.0/18,61.216.0.0/17,61.216.128.0/18,61.223.0.0/16,61.224.0.0/16,61.227.0.0/16,61.228.0.0/16,61.230.0.0/15,63.215.202.0/24,63.223.86.79/32,63.223.100.58/32,63.223.101.44/32,63.223.102.73/32,63.223.103.77/32,63.223.124.119/32,63.226.208.180/31,63.245.209.30/31,64.4.44.80/31,64.25.35.100/31,64.25.35.200/31,64.37.73.8/32,64.120.138.55/32,64.120.206.154/32,64.191.20.238/32,64.191.124.239/32,65.49.2.12/31,65.49.14.0/24,65.175.93.68/32,65.175.93.72/32,65.175.93.76/32,66.201.71.143/32,66.201.71.145/32,66.245.218.2/31,67.19.60.8/31,68.65.210.20/32,68.65.238.190/32,69.61.28.24/32,69.61.28.51/32,69.162.176.238/32,69.162.177.246/32,69.162.177.250/32,69.162.179.250/32,69.162.180.238/32,69.162.180.244/32,69.162.180.250/32,69.162.181.241/32,69.162.181.248/32,69.162.182.250/32,69.162.183.246/32,69.162.185.239/32,69.162.185.247/32,69.162.186.245/32,69.162.187.239/32,69.162.189.240/32,69.162.189.246/32,69.162.190.247/32,69.162.191.248/32,70.32.68.126/31,72.21.194.0/24,72.21.203.148/31,72.21.211.170/31,72.21.214.0/24,72.69.176.100/31,74.80.131.100/32,74.80.152.203/32,74.80.167.179/32,74.80.181.109/32,74.127.24.68/32,74.127.52.39/32,74.127.52.42/32,76.191.99.99/32,76.191.102.131/32,76.191.103.56/32,76.191.105.5/32,76.191.105.20/32,76.191.114.32/32,80.79.125.53/32,91.121.253.92/32,95.143.33.144/32,95.143.33.179/32,96.9.133.170/32,96.9.174.174/32,101.128.162.236/31,111.240.0.0/14,111.248.0.0/13,112.104.0.0/17,112.104.128.0/18,112.104.192.0/19,112.105.64.0/18,112.105.128.0/19,112.105.192.0/18,113.197.194.198/31,114.24.0.0/14,114.36.0.0/14,114.40.0.0/13,118.160.0.0/15,118.165.0.0/16,118.166.0.0/15,118.168.0.0/14,122.118.0.0/16,122.120.0.0/14,122.124.162.0/24,122.125.0.0/16,122.126.0.0/15,123.204.74.103/32,123.204.96.0/19,123.205.224.0/19,124.8.72.25/32,124.9.128.0/17,124.11.53.0/24,124.11.128.0/17,124.12.0.0/17,125.224.0.0/15,125.227.0.0/16,125.229.0.0/16,125.230.0.0/16,125.231.91.188/31,125.232.0.0/15,126.126.189.185/32,128.120.32.96/31,129.59.210.100/31,149.5.113.168/32,173.208.227.209/32,173.212.193.131/32,173.212.193.142/32,173.212.193.156/32,174.24.248.14/31,175.180.64.0/18,175.180.128.0/17,175.181.64.0/18,175.181.128.0/17,175.182.0.0/17,184.26.194.70/31,184.82.51.116/32,184.82.113.169/32,184.82.137.235/32,184.82.145.69/32,184.82.205.136/32,195.43.51.21/32,199.114.216.57/32,199.114.217.39/32,199.114.219.83/32,199.114.219.93/32,199.217.100.54/32,199.217.101.32/32,199.217.101.61/32,199.217.102.49/32,203.67.0.0/19,203.67.116.201/32,203.73.50.4/31,203.73.55.210/31,203.73.192.0/18,205.251.242.164/31,207.195.235.35/32,207.195.235.195/32,208.117.17.239/32,208.117.18.242/32,208.117.19.250/32,208.117.22.249/32,208.117.23.246/32,208.117.26.239/32,208.117.27.241/32,208.117.29.246/32,208.117.29.250/32,208.117.31.240/32,210.64.96.0/19,211.74.96.0/19,211.74.191.68/31,212.69.166.19/32,212.69.169.54/32,212.69.191.38/32,212.69.191.237/32,216.13.11.50/31,216.13.113.50/31,216.15.183.18/32,216.15.183.27/32,216.198.215.3/32,216.198.220.120/32,216.198.220.126/32,218.160.0.0/14,218.165.0.0/16,218.166.0.0/15,218.168.0.0/14,218.173.0.0/16,218.174.0.0/15,219.80.130.234/31,219.84.192.0/18,219.85.128.0/17,220.100.55.208/32,220.129.0.0/16,220.131.0.0/16,220.136.0.0/16,220.138.0.0/16,220.141.0.0/16,220.142.0.0/15] alert tcp $HOME_NET any -> $ULTRASURF_POOL 443 (msg:"Ultrasurf Connection Detected"; flow:established; classtype:policy-violation; sid:5000000; rev:3;) alert tcp $HOME_NET any -> $ULTRASURF_POOL 10000 (msg:"Ultrasurf Connection Detected"; flow:established; classtype:policy-violation; sid:5000001; rev:3;)Have fun!
-
Try this.
I have created an alias of LEGALPORTS (80, 443, 53, 3128 and some ports you consider necessary) to be allowed, then from the Firewall Rule, i added outbound connections for LAN specifying LEGALPORTS as their destination ports. I have not tested this one out for ultrasurf but works for blocking torrents. But will try anyway on my side.
Thanks.
-
Steve:
Well, the plot thickens, unfortunately, my situation has gone from bad to worse. In the midst of experimenting with alternate "modem access" configurations on pfSense last night I lost the connection with my Viking modem card. I restored two of my prior-working configurations to no avail: pfSense is not able to talk to my modem. I can no longer connect to the internet and I cannot ping my modem's IP address inside pfSense. pfSense, however, sees the adapter on my modem and the modem is syncing with my ISP's DSLAM (pppoE over Ethernet over ATM–my ISP records show the ATM path established).
I can't imagine how any changes I made to pfSense would have caused this problem, as I have reset and reconfigured it several times. I did make some changes to my modem configuration, however, while I had access to it and while I still had internet access through it. I changed its password as well as its date and time settings--these changes should have had no effect on connectivity. I also changed its default access IP address (I did not change its subnet)--again, this change should not have affected connectivity. Additionally, however, I compulsively changed its MTU setting from 1500 to 1492 (located in the same gui screen area as the IP address setting)--I have a feeling that this change may be the culpret--perhaps the modem does not like this latter setting changed when it is in bridge mode. I violated my trusted dictum in making these changes--change only one variable at a time and reboot the system between changes when you are unsure what the results might be.
So I wasted another four hours on this project last night. The Viking card has been a grand time consumer: it is neither well documented nor supported by its manufacturer--who is almost impossible to contact via e-mail--and the card is no longer in production. My next step will be to do a hardware reset of the card--then I will see if I can access it in pfSense and switch it back into bridge mode via telnet. This task will be a bear, as I will have to pull my 1U rack-mounted unit out of its cabinet, open its chassis, and access the reset pins on the Viking card--the card is mounted face down on a 90 degree riser in the chassis, so I may have to pull it out to find its reset pins.
So that is how I will be spending my Thanksgiving weekend.
-
The steps above is not working using the new version of Ultrasurf >:(.
-Randy
