How to block download extensions
-
please help me. i want to block my users to download extensions.
like .zip .rar .exe .crx(chrome extensions) .xpi (mozilla extensions) .exe..i tried to create regular expressions,
but i can still download zip in my email.thank you in advance :)
-
Dansguardian works great for this sort of thing as long as HTTPS isn't used to do an end-run around squid.
(Dealing with email? The issue is probably the HTTPS. Hard to block parts and pieces of HTTPS without breaking it altogether)
-
i've heard of dansguardian,
but never tried of it.
thank you for the idea.
i will give it a try.have alsro tried to block proxy chrome extension uses?
-
Know in advance that for HTTP dansguardian will allow you to block alot but for HTTPS, not so much. (unless you just want to break ALL HTTPS, then yeah)
-
i see.
maybe i can break all https,
and just make an exception,we're using ftp server that requires https.
im confused now.hehe..
anyways thank you. (thumbs up). -
we're using ftp server that requires https.
im confused now.Huh, what? Yeah, you are confused.
-
Today all advice comes with a personal affirmation of self worth I see?
If you use dansguardian you can pick and choose which computers are affected by it by making an alias.
-
i've tried DG,
but when using https,
i can still download the extension i put in banned list. :(but DG can block all bad sites..
-
is it possible to combine SG and DG?
-
I don't have a solution to your problem with HTTPS + certain file type downloads.
-
Good morning sir kejianshi,
have you heard or use proxy extensions in browser. (not tor), like stealthy.?
some of my users are techy, and they are using it to bypass. -
I'm not sure what you mean, but I'm assuming you mean proxy?
There are several types. Like HTTP proxy, socks proxy or a fetch proxy.
Anyway, you want to be able to block these?
-
OK - So I loaded stealthy… What its doing is its loading proxy setting directly into the browser network settings to bypass your network filters.
Its setting a proxy port of 3128, so - As a starting point, I'd set a firewall rule to block anything originating on your LAN from accessing port 3128 on the WEB. That should eliminate alot of open proxies.
They also run an HTTP proxy, so I'd tell dansguardian to block any site that includes the word "stealthy.co" or "proxy".
-
Yeah - If they start providing proxies on random ports you might have to make a rule allows clients to pfsense to only access pfsense and not the WEB and then all queries would have to go through squid or not work at all.
Then you would have to whitelist - And that sucks for them.
I'd let them know that if they want to play games, you can play games. It will suck for them, not you.
(I assume this is work or school or something?)
-
it is for my work,
Sir, im running my pfsense on a virtualbox (bridged mode).
i load my pfsense ip and port(3128) in everyone's browser network settings,
what will happen sir if i block the port 3128.
Sir im just new,
i dunno how to make a rulle that allow only clients to access pfsense and not the web.thank you sir
-
You don't want to block 3128 completely.
You want to allow 3128 to your pfsense and only to pfsense.
So, on your LAN firewall rule, set a block rule at the very top to block all on port 3128 not destination IP (whatever your pfsense IP is).
Check the not block…
If you enter that rule correctly, it will allow pfsense proxy to work but block proxies on port 3128 on the web.
Be sure to move that rule to the very top. -
Sir,
i tried to create the rule that u told me.
im just confuse sir, i got it ryt.i attached image for my rule. thank you sir.
-
Your rule is backwards. It should block:
Source any
Source ports - leave blank (any)
Destination: not TBT_IP
Destination port 3128This will match and block any clients on your LAN (source) trying to connect to port 3128 somewhere out on the internet (not TBT_IP).
-
Your rule is backwards. It should block:
Source any
Source ports - leave blank (any)
Destination: not TBT_IP
Destination port 3128This will match and block any clients on your LAN (source) trying to connect to port 3128 somewhere out on the internet (not TBT_IP).
thank you very much sir,
i will try it now. (cross finger).. hehehe -
i've tried it,
then i installed the stealthy extension in chrome.
i run it and then search in the internet,
i block the first attempt,
but when i disable the extension,
i can access the https again (ex. fb).
its like it access to a different port now.