How to block google playstore on android devices from downloading/ install .apk



  • First time user of pfsense and loving it fully.

    Googling for ports to block used by the playstore it says to create a rule in firewall and block ports 5228-5230.
    I've been fiddling with Firewall Rules for a week now ( ha ha, yeah !) but i can still download/install apps using the playstore app in my android device.

    both WAN and LAN port, i created blocks for said ports, destination, source, still no go.
    also, i tried learning what the firewall logs says, but its kinda difficult to know from there.

    Please masters, help me.

    TIA

    -greenhouse-



  • @greenhouse:

    rule in firewall and block ports 5228-5230.

    both WAN and LAN port, i created blocks for said ports, destination, source, still no go.
    also, i tried learning what the firewall logs says, but its kinda difficult to know from there.

    Just some ideas:

    One way of doing it: block either the IP-addresses for the destination service? (for example by adding an alias called blocklist or something like that and adding all IP-addresses for the servers you want to completely block).

    Cons / risks with this solution: if new IP-addresses are used for the service your block will be useless. A user could "tunnel" traffic to go around your block or use a proxy etc, only direct traffic would be blocked.

    Pros: As long as the IP-addresses are not changed this is a pretty "cheap" way of blocking traffic and when blocking on an IP-level you can directly block traffic ("before" doing more "costly" things like inspecting packets etc).

    Another way: Force users to use your DNS resolver and block it there (in DNS).

    Or, yet another way: inspect packets and look for specific signature for this service and block in the content filtering level.

    Cons: Just like with the block list above, you need to keep track of how this service works, any changes made to it, users can use proxys, tunnels etc and easily bypass your ""block"", for example if a new domain name would be used for the service, your DNS ACL's would be useless. By "DNS hijacking" things could break, how ever if you only want to "block" these services it should probably not matter too much?

    Pros: You could easily "redirect" users to your own "error page" by adding records to your own zones for the domains (almost like a portal in a way) and take care of authorizing some users etc etc.

    Best solution is probably a combination of all three. Inspecting packets could be "costly" so if it is a larger network it could be a good idea to "do the filtering" on a separate "section" of the network, maybe using a separate firewall (hardware) before passing on the traffic further into your network.

    Cheers

    /E



  • wow i kinda got lost with all those options, ha ha.
    and thank you very much.

    i thought it would only be some port blocking that would do the trick, or some firewall rules.

    btw i made opendns as DNS, some great help with proxys

    Sir below is a firewall rule that, as i understand, should only open ports 80 and 443 (enough for browsers to have internet connection, and would block ports 5228-5230.

    Proto       Source    Port Destination Port Gateway
    pass      TCP/UDP LAN net   *   *            80
    pass      TCP/UDP LAN net   *   *               443
    block    TCP/UDP LAN net   *   *               5228-5230

    but why wont the browsers get internet using that rule?


Log in to reply