How to block download extensions



  • please help me. i want to block my users to download extensions.
    like .zip .rar .exe .crx(chrome extensions) .xpi (mozilla extensions) .exe..

    i tried to create regular expressions,
    but i can still download zip in my email.

    thank you in advance :)



  • Dansguardian works great for this sort of thing as long as HTTPS isn't used to do an end-run around squid.

    (Dealing with email? The issue is probably the HTTPS.  Hard to block parts and pieces of HTTPS without breaking it altogether)



  • i've heard of dansguardian,
    but never tried of it.
    thank you for the idea.
    i will give it a try.

    have alsro tried to block proxy chrome extension uses?



  • Know in advance that for HTTP dansguardian will allow you to block alot but for HTTPS, not so much.  (unless you just want to break ALL HTTPS, then yeah)



  • i see.
    maybe i can break all https,
    and just make an exception,

    we're using ftp server that requires https.
    im confused now.

    hehe..
    anyways thank you. (thumbs up).


  • Banned

    @tbt_sysad:

    we're using ftp server that requires https.
    im confused now.

    Huh, what? Yeah, you are confused.



  • Today all advice comes with a personal affirmation of self worth I see?

    If you use dansguardian you can pick and choose which computers are affected by it by making an alias.



  • i've tried DG,
    but when using https,
    i can still download the extension i put in banned list. :(

    but DG can block all bad sites..



  • is it possible to combine SG and DG?



  • I don't have a solution to your problem with HTTPS + certain file type downloads.



  • Good morning sir  kejianshi,

    have you heard or use proxy extensions in browser. (not tor), like stealthy.?
    some of my users are techy, and they are using it to bypass.



  • I'm not sure what you mean, but I'm assuming you mean proxy?

    There are several types.  Like HTTP proxy, socks proxy or a fetch proxy.

    Anyway, you want to be able to block these?



  • OK - So I loaded stealthy…  What its doing is its loading proxy setting directly into the browser network settings to bypass your network filters.

    Its setting a proxy port of 3128, so - As a starting point, I'd set a firewall rule to block anything originating on your LAN from accessing port 3128 on the WEB.  That should eliminate alot of open proxies.

    They also run an HTTP proxy, so I'd tell dansguardian to block any site that includes the word "stealthy.co" or "proxy".



  • Yeah - If they start providing proxies on random ports you might have to make a rule allows clients to pfsense to only access pfsense and not the WEB and then all queries would have to go through squid or not work at all.

    Then you would have to whitelist - And that sucks for them.

    I'd let them know that if they want to play games, you can play games.  It will suck for them, not you.

    (I assume this is work or school or something?)



  • it is for my work,

    Sir, im running my pfsense on a virtualbox (bridged mode).
    i load my pfsense ip and port(3128) in everyone's browser network settings,
    what will happen sir if i block the port 3128.
    Sir im just new,
    i dunno how to make a rulle that allow only clients to access pfsense and not the web.

    thank you sir



  • You don't want to block 3128 completely.

    You want to allow 3128 to your pfsense and only to pfsense.

    So, on your LAN firewall rule, set a block rule at the very top to block all on port 3128 not destination IP (whatever your pfsense IP is).

    Check the not block…

    If you enter that rule correctly, it will allow pfsense proxy to work but block proxies on port 3128 on the web.
    Be sure to move that rule to the very top.



  • Sir,

    i tried to create the rule that u told me.
    im just confuse sir, i got it ryt.

    i attached image for my rule. thank you sir.




  • Your rule is backwards. It should block:
    Source any
    Source ports - leave blank (any)
    Destination: not TBT_IP
    Destination port 3128

    This will match and block any clients on your LAN (source) trying to connect to port 3128 somewhere out on the internet (not TBT_IP).



  • @phil.davis:

    Your rule is backwards. It should block:
    Source any
    Source ports - leave blank (any)
    Destination: not TBT_IP
    Destination port 3128

    This will match and block any clients on your LAN (source) trying to connect to port 3128 somewhere out on the internet (not TBT_IP).

    thank you very much sir,
    i will try it now. (cross finger).. hehehe



  • i've tried it,
    then i installed the stealthy extension in chrome.
    i run it and then search in the internet,
    i block the first attempt,
    but when i disable the extension,
    i can access the https again (ex. fb).
    its like it access to a different port now.



  • The way that thing works is it inserts the proxy settings for random open proxies on the net into the web browser configuration.  It leaves those setting there when you un-install the browser add on.  It also removes any previous proxy settings you had in the browser.

    So, if the proxy settings you had in the browser to begin with are what directs the users into your proxy, when they run that browser add on, your proxy will be replaced with the stealthy proxy.  Then when you uninstall the stealthy proxy, there is no proxy at all.

    So, if a browser on your network with no proxy settings can access the web, then they will be able to access HTTP or HTTPS.

    So, besides blocking the 3128 port to the internet for clients, you should probably also block port 80 and 443 from the LAN to internet for those computers, so that the only way to get to the internet is via your proxy.

    So, if access for your computers is supposed to go:

    Computer > squid on port 3128 > internet

    Then you can block their 80 and their 443 to the web, along with their 3128 to the web.



  • uhm sir kejianshi,

    im doing well with dansguardian,
    but i have this one scenario when on of users have an access which is not
    applicable to others,

    i've tried the users in dansguardian but the result is failed,

    is it really possible sir?

    tnx


Log in to reply