• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Blocking Internet access via specific browser

Scheduled Pinned Locked Moved General pfSense Questions
26 Posts 6 Posters 8.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    networkinggeek
    last edited by Jan 18, 2015, 10:05 AM

    Hello Forum,
    I am using pfsense+nsfilter package for blocking URLs. I am encountering a rather strange situation, whatever the filtering rules I have added it is working fine in laptops for all browsers (IE, Chrome, Firefox and Opera). When I check what is my ip it shows ip of the pfsense.

    Now in smartphone and tabs I have same browsers and filtering is working perfectly in Chrome, IE and Firefox but Opera is completely bypassing the firewall. When I check what is my ip in chrome, firefox and I.E it shows IP of pfsense, but when I do the same in Opera it is showing completely different IP. So my question is whether is it possible to force the users to use a specific browser and block other browser?

    "Mastery isn't a natural gift. Its a daily devotion"

    1 Reply Last reply Reply Quote 0
    • H
      heper
      last edited by Jan 18, 2015, 10:40 AM

      i guess you should ask Northshore ?
      nsfilter is not part of any official pfSense repository as far as i know. I saw it has a paid service … then they should provide support also.

      perhaps others have experience with this package?

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by Jan 18, 2015, 10:47 AM

        Opera Mini has had history of using proxy and various other crap for ages. Not really sure what you are expecting here.

        http://en.wikipedia.org/wiki/Opera_Mini

        The browser's use of compression and encrypted proxy-based technology to reduce traffic and speed page display has the side effect of allowing it to circumvent several approaches to Internet censorship. … Opera Mini fetches all content through a proxy server and reformats web pages into a format more suitable for small screens. A page is compressed, then delivered to the phone in a markup language called OBML (Opera Binary Markup Language), which Opera Mini can interpret. The data compression makes transfer time about two to three times faster, and the pre-processing improves the display of web pages not designed for small screens

        1 Reply Last reply Reply Quote 0
        • N
          networkinggeek
          last edited by Jan 18, 2015, 11:00 AM

          @heper:

          i guess you should ask Northshore ?
          nsfilter is not part of any official pfSense repository as far as i know. I saw it has a paid service … then they should provide support also.

          perhaps others have experience with this package?

          Yes sir I have raised this issue to them and I am awaiting their reply. I just thought to ask this in the forum, its better to be informed  :)

          "Mastery isn't a natural gift. Its a daily devotion"

          1 Reply Last reply Reply Quote 0
          • N
            networkinggeek
            last edited by Jan 18, 2015, 11:03 AM

            @doktornotor:

            Opera Mini has had history of using proxy and various other crap for ages. Not really sure what you are expecting here.

            http://en.wikipedia.org/wiki/Opera_Mini

            The browser's use of compression and encrypted proxy-based technology to reduce traffic and speed page display has the side effect of allowing it to circumvent several approaches to Internet censorship. … Opera Mini fetches all content through a proxy server and reformats web pages into a format more suitable for small screens. A page is compressed, then delivered to the phone in a markup language called OBML (Opera Binary Markup Language), which Opera Mini can interpret. The data compression makes transfer time about two to three times faster, and the pre-processing improves the display of web pages not designed for small screens

            Opera browser works fine in the laptop/desktop, I mean all the filtering rules are enforced. The problem is with the Opera browser installed in Smartphones or Tablets, it is taking different proxy altogether

            "Mastery isn't a natural gift. Its a daily devotion"

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by Jan 18, 2015, 5:00 PM

              @networkinggeek:

              Opera browser works fine in the laptop/desktop, I mean all the filtering rules are enforced. The problem is with the Opera browser installed in Smartphones or Tablets, it is taking different proxy altogether

              Yes. The mobile junk is a completely different thing.

              1 Reply Last reply Reply Quote 0
              • N
                networkinggeek
                last edited by Jan 21, 2015, 5:46 AM

                I went through some blogs and even contacted NSFilter regarding the Opera mini issue. Its been found that Opera Mini appends its header using "X-Forward-For" when sending the traffic out. Here is the link for it http://tiffanybbrown.com/2011/08/11/opera-turbo-and-ip-address-blocking/

                Basically "X-Forward-For" adds IP address of client device/proxy before sending out the traffic. Opera Mini is adding IP of its proxy server in the header, so blocking/disabling "X-Forward-For" might solve the problem.

                I just want to know whether it is possible to block "X-Forwarded-For" traffic in pfsense? If so then how to do it  :)

                "Mastery isn't a natural gift. Its a daily devotion"

                1 Reply Last reply Reply Quote 0
                • F
                  fsansfil
                  last edited by Jan 21, 2015, 10:39 AM

                  Using Snort

                  alert ip any any <> any any (msg:"appID Opera/Opera Mini"; appid: opera opera_mini; classtype:policy-violation; sid:13465012; rev:1;)

                  F.

                  1 Reply Last reply Reply Quote 0
                  • D
                    doktornotor Banned
                    last edited by Jan 21, 2015, 10:53 AM

                    @fsansfil:

                    Using Snort

                    I'd rather leave those Opera Mini people browse whatever they wish than break everyone else on the way…

                    1 Reply Last reply Reply Quote 0
                    • F
                      fsansfil
                      last edited by Jan 21, 2015, 11:00 AM

                      Opera Mini people are a dangerous kind… ;)

                      "I just want to know whether it is possible to block "X-Forwarded-For" traffic in pfsense? If so then how to do it  :)"

                      You can use this rule too...

                      alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS (msg:"No Proxied or Random Agent Spoofer"; content:"X-Forwarded-For"; http_header; classtype:policy-violation; sid:13465013; rev:1;)

                      1 Reply Last reply Reply Quote 0
                      • D
                        doktornotor Banned
                        last edited by Jan 21, 2015, 11:09 AM

                        Seriously, have you investigated some saner approaches? Like, blocking outgoing DNS except for whitelisted servers via firewall rules?

                        1 Reply Last reply Reply Quote 0
                        • N
                          networkinggeek
                          last edited by Jan 21, 2015, 1:39 PM

                          @doktornotor:

                          Seriously, have you investigated some saner approaches? Like, blocking outgoing DNS except for whitelisted servers via firewall rules?

                          I tried blocking the DNS queries by adding the following rules
                          Rule 1
                          Action: Pass
                          Protocol: TCP/UDP
                          Src: Any
                          Src Port: Any
                          Dest: Lan Address
                          Port : 53 (DNS)

                          Rule 2
                          Action: Block
                          Protocol: TCP/UDP
                          Src: Any
                          Src Port: Any
                          Dest: Any
                          Dest Port: 53 (DNS)

                          When I enforce these rules I am able to browse the internet normally, but opera mini is still managing to bypass. Either I have done mistake in adding the rules or else opera mini has some really great proxies  :(

                          "Mastery isn't a natural gift. Its a daily devotion"

                          1 Reply Last reply Reply Quote 0
                          • K
                            KOM
                            last edited by Jan 21, 2015, 2:47 PM

                            How is Opera getting around the firewall?  Just because an IP checker comes up with a different value??  If you have a web proxy set up, surely you've blocked LAN access to 80/443 so that nothing can get out past the filter?  Have you configured WPAD on pfSense?  Opera appears to support WPAD.

                            1 Reply Last reply Reply Quote 0
                            • N
                              networkinggeek
                              last edited by Jan 21, 2015, 3:28 PM

                              @KOM:

                              How is Opera getting around the firewall?  Just because an IP checker comes up with a different value??  If you have a web proxy set up, surely you've blocked LAN access to 80/443 so that nothing can get out past the filter?

                              Ok let me explain how Opera and Opera Mini works. The browser has a setting called turbo mode, Opera browser has the option to choose between normal browsing and turbo mode browsing. When in normal mode, it passes through the pfsense, but when turbo mode is enabled it tunnels the traffic through one of its own proxy servers by setting "X-Forwarded-For: IP Address" to serve webpages quickly. On the other hand Opera Mini is by default turbo mode enabled, so it always bypasses the firewall by connecting to its proxy server.

                              @KOM:

                              Have you configured WPAD on pfSense?  Opera appears to support WPAD.

                              I haven't configured WPAD on pfsense. I will try to configure WPAD and check how the Opera mini works.

                              "Mastery isn't a natural gift. Its a daily devotion"

                              1 Reply Last reply Reply Quote 0
                              • K
                                KOM
                                last edited by Jan 21, 2015, 3:44 PM

                                Does Turbo mode actually do anything?  How is fetching content from some proxy somewhere over the Ether faster than fetching it from its original source??  Whatever.

                                https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

                                In a nutshell:

                                • create wpad.dat:

                                function FindProxyForURL(url,host)
                                {
                                return "PROXY your.proxy.ip.address:3128";
                                }

                                • copy wpad.dat to /usr/local/www
                                • copy /usr/local/www/wpad.dat to wpad.da, wspad.dat and proxy.pac
                                • create WPAD DNS entry that points to your pfSense box
                                • create DHCP option 252 for WPAD and point it to http://pfsense.host.name/wpad.dat
                                • ensure Autodetect Proxy is set in your browser settings
                                1 Reply Last reply Reply Quote 0
                                • S
                                  stephenw10 Netgate Administrator
                                  last edited by Jan 21, 2015, 3:48 PM

                                  I'm unsure what you're asking here. Do you want to block all access from opera-mini? Or just the sites blocked for other browsers?
                                  Since Opera mini is not the exclusive browser on any device (as far as I know) blocking it completely may be acceptable for you.

                                  Steve

                                  1 Reply Last reply Reply Quote 0
                                  • N
                                    networkinggeek
                                    last edited by Jan 21, 2015, 4:00 PM

                                    @KOM:

                                    Does Turbo mode actually do anything?  How is fetching content from some proxy somewhere over the Ether faster than fetching it from its original source??  Whatever.

                                    https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

                                    In a nutshell:

                                    • create wpad.dat:

                                    function FindProxyForURL(url,host)
                                    {
                                    return "PROXY your.proxy.ip.address:3128";
                                    }

                                    • copy wpad.dat to /usr/local/www
                                    • copy /usr/local/www/wpad.dat to wpad.da, wspad.dat and proxy.pac
                                    • create WPAD DNS entry that points to your pfSense box
                                    • create DHCP option 252 for WPAD and point it to http://pfsense.host.name/wpad.dat
                                    • ensure Autodetect Proxy is set in your browser settings

                                    I will try this and reply back to the forum  :)

                                    "Mastery isn't a natural gift. Its a daily devotion"

                                    1 Reply Last reply Reply Quote 0
                                    • N
                                      networkinggeek
                                      last edited by Jan 21, 2015, 4:09 PM

                                      @stephenw10:

                                      I'm unsure what you're asking here. Do you want to block all access from opera-mini? Or just the sites blocked for other browsers?
                                      Since Opera mini is not the exclusive browser on any device (as far as I know) blocking it completely may be acceptable for you.

                                      Steve

                                      Sir, I am using pfsense+nsfilter package for URL filtering and YouTube education. I was testing whether filtering is working properly in the desktop/laptops with IE,Chrome, Firefox, Safari and Opera and results were satisfactory. I tested the same in Smartphones and Tablets with the same set of browsers. Apart from Opera Mini every other browser is passing through the firewall and filtering rules are enforced, but in Opera Mini it is completely bypassing the firewall. When I check "What is my IP" in IE, Chrome etc it shows the IP of pfsense, but in Opera mini it is showing different IP. When I went through some docs I found out that Opera Mini appends the header with "X-Forwarded-For" with some different client IP. It is serving webpages through different proxy servers.

                                      Have a look at what it is capable of doing

                                      http://www.theregister.co.uk/2009/11/24/opera_mini_and_china/

                                      "Mastery isn't a natural gift. Its a daily devotion"

                                      1 Reply Last reply Reply Quote 0
                                      • K
                                        KOM
                                        last edited by Jan 21, 2015, 4:18 PM

                                        Definitely block 80 and 443 on LAN.  Force everything to use the proxy or else they don't get to talk.

                                        Thanks for the article.  I now see that the main purpose of their proxy is to lower the bandwidth required, which may or may not speed up browsing but should lower bandwidth used on mobile.

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          stephenw10 Netgate Administrator
                                          last edited by Jan 21, 2015, 5:19 PM

                                          Since the Opera proxy is not intended to bypass filtering, that's not its primary purpose, it might be possible to get a list of its proxy IP addresses and just filter all requests to them. That's if disabling Opera-mini completely is an acceptable solution to you.

                                          Steve

                                          1 Reply Last reply Reply Quote 0
                                          1 out of 26
                                          • First post
                                            1/26
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received