Blocking Internet access via specific browser



  • Hello Forum,
    I am using pfsense+nsfilter package for blocking URLs. I am encountering a rather strange situation, whatever the filtering rules I have added it is working fine in laptops for all browsers (IE, Chrome, Firefox and Opera). When I check what is my ip it shows ip of the pfsense.

    Now in smartphone and tabs I have same browsers and filtering is working perfectly in Chrome, IE and Firefox but Opera is completely bypassing the firewall. When I check what is my ip in chrome, firefox and I.E it shows IP of pfsense, but when I do the same in Opera it is showing completely different IP. So my question is whether is it possible to force the users to use a specific browser and block other browser?



  • i guess you should ask Northshore ?
    nsfilter is not part of any official pfSense repository as far as i know. I saw it has a paid service … then they should provide support also.

    perhaps others have experience with this package?


  • Banned

    Opera Mini has had history of using proxy and various other crap for ages. Not really sure what you are expecting here.

    http://en.wikipedia.org/wiki/Opera_Mini

    The browser's use of compression and encrypted proxy-based technology to reduce traffic and speed page display has the side effect of allowing it to circumvent several approaches to Internet censorship. … Opera Mini fetches all content through a proxy server and reformats web pages into a format more suitable for small screens. A page is compressed, then delivered to the phone in a markup language called OBML (Opera Binary Markup Language), which Opera Mini can interpret. The data compression makes transfer time about two to three times faster, and the pre-processing improves the display of web pages not designed for small screens



  • @heper:

    i guess you should ask Northshore ?
    nsfilter is not part of any official pfSense repository as far as i know. I saw it has a paid service … then they should provide support also.

    perhaps others have experience with this package?

    Yes sir I have raised this issue to them and I am awaiting their reply. I just thought to ask this in the forum, its better to be informed  :)



  • @doktornotor:

    Opera Mini has had history of using proxy and various other crap for ages. Not really sure what you are expecting here.

    http://en.wikipedia.org/wiki/Opera_Mini

    The browser's use of compression and encrypted proxy-based technology to reduce traffic and speed page display has the side effect of allowing it to circumvent several approaches to Internet censorship. … Opera Mini fetches all content through a proxy server and reformats web pages into a format more suitable for small screens. A page is compressed, then delivered to the phone in a markup language called OBML (Opera Binary Markup Language), which Opera Mini can interpret. The data compression makes transfer time about two to three times faster, and the pre-processing improves the display of web pages not designed for small screens

    Opera browser works fine in the laptop/desktop, I mean all the filtering rules are enforced. The problem is with the Opera browser installed in Smartphones or Tablets, it is taking different proxy altogether


  • Banned

    @networkinggeek:

    Opera browser works fine in the laptop/desktop, I mean all the filtering rules are enforced. The problem is with the Opera browser installed in Smartphones or Tablets, it is taking different proxy altogether

    Yes. The mobile junk is a completely different thing.



  • I went through some blogs and even contacted NSFilter regarding the Opera mini issue. Its been found that Opera Mini appends its header using "X-Forward-For" when sending the traffic out. Here is the link for it http://tiffanybbrown.com/2011/08/11/opera-turbo-and-ip-address-blocking/

    Basically "X-Forward-For" adds IP address of client device/proxy before sending out the traffic. Opera Mini is adding IP of its proxy server in the header, so blocking/disabling "X-Forward-For" might solve the problem.

    I just want to know whether it is possible to block "X-Forwarded-For" traffic in pfsense? If so then how to do it  :)



  • Using Snort

    alert ip any any <> any any (msg:"appID Opera/Opera Mini"; appid: opera opera_mini; classtype:policy-violation; sid:13465012; rev:1;)

    F.


  • Banned

    @fsansfil:

    Using Snort

    I'd rather leave those Opera Mini people browse whatever they wish than break everyone else on the way…



  • Opera Mini people are a dangerous kind… ;)

    "I just want to know whether it is possible to block "X-Forwarded-For" traffic in pfsense? If so then how to do it  :)"

    You can use this rule too...

    alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS (msg:"No Proxied or Random Agent Spoofer"; content:"X-Forwarded-For"; http_header; classtype:policy-violation; sid:13465013; rev:1;)


  • Banned

    Seriously, have you investigated some saner approaches? Like, blocking outgoing DNS except for whitelisted servers via firewall rules?



  • @doktornotor:

    Seriously, have you investigated some saner approaches? Like, blocking outgoing DNS except for whitelisted servers via firewall rules?

    I tried blocking the DNS queries by adding the following rules
    Rule 1
    Action: Pass
    Protocol: TCP/UDP
    Src: Any
    Src Port: Any
    Dest: Lan Address
    Port : 53 (DNS)

    Rule 2
    Action: Block
    Protocol: TCP/UDP
    Src: Any
    Src Port: Any
    Dest: Any
    Dest Port: 53 (DNS)

    When I enforce these rules I am able to browse the internet normally, but opera mini is still managing to bypass. Either I have done mistake in adding the rules or else opera mini has some really great proxies  :(



  • How is Opera getting around the firewall?  Just because an IP checker comes up with a different value??  If you have a web proxy set up, surely you've blocked LAN access to 80/443 so that nothing can get out past the filter?  Have you configured WPAD on pfSense?  Opera appears to support WPAD.



  • @KOM:

    How is Opera getting around the firewall?  Just because an IP checker comes up with a different value??  If you have a web proxy set up, surely you've blocked LAN access to 80/443 so that nothing can get out past the filter?

    Ok let me explain how Opera and Opera Mini works. The browser has a setting called turbo mode, Opera browser has the option to choose between normal browsing and turbo mode browsing. When in normal mode, it passes through the pfsense, but when turbo mode is enabled it tunnels the traffic through one of its own proxy servers by setting "X-Forwarded-For: IP Address" to serve webpages quickly. On the other hand Opera Mini is by default turbo mode enabled, so it always bypasses the firewall by connecting to its proxy server.

    @KOM:

    Have you configured WPAD on pfSense?  Opera appears to support WPAD.

    I haven't configured WPAD on pfsense. I will try to configure WPAD and check how the Opera mini works.



  • Does Turbo mode actually do anything?  How is fetching content from some proxy somewhere over the Ether faster than fetching it from its original source??  Whatever.

    https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

    In a nutshell:

    • create wpad.dat:

    function FindProxyForURL(url,host)
    {
    return "PROXY your.proxy.ip.address:3128";
    }

    • copy wpad.dat to /usr/local/www
    • copy /usr/local/www/wpad.dat to wpad.da, wspad.dat and proxy.pac
    • create WPAD DNS entry that points to your pfSense box
    • create DHCP option 252 for WPAD and point it to http://pfsense.host.name/wpad.dat
    • ensure Autodetect Proxy is set in your browser settings

  • Netgate Administrator

    I'm unsure what you're asking here. Do you want to block all access from opera-mini? Or just the sites blocked for other browsers?
    Since Opera mini is not the exclusive browser on any device (as far as I know) blocking it completely may be acceptable for you.

    Steve



  • @KOM:

    Does Turbo mode actually do anything?  How is fetching content from some proxy somewhere over the Ether faster than fetching it from its original source??  Whatever.

    https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

    In a nutshell:

    • create wpad.dat:

    function FindProxyForURL(url,host)
    {
    return "PROXY your.proxy.ip.address:3128";
    }

    • copy wpad.dat to /usr/local/www
    • copy /usr/local/www/wpad.dat to wpad.da, wspad.dat and proxy.pac
    • create WPAD DNS entry that points to your pfSense box
    • create DHCP option 252 for WPAD and point it to http://pfsense.host.name/wpad.dat
    • ensure Autodetect Proxy is set in your browser settings

    I will try this and reply back to the forum  :)



  • @stephenw10:

    I'm unsure what you're asking here. Do you want to block all access from opera-mini? Or just the sites blocked for other browsers?
    Since Opera mini is not the exclusive browser on any device (as far as I know) blocking it completely may be acceptable for you.

    Steve

    Sir, I am using pfsense+nsfilter package for URL filtering and YouTube education. I was testing whether filtering is working properly in the desktop/laptops with IE,Chrome, Firefox, Safari and Opera and results were satisfactory. I tested the same in Smartphones and Tablets with the same set of browsers. Apart from Opera Mini every other browser is passing through the firewall and filtering rules are enforced, but in Opera Mini it is completely bypassing the firewall. When I check "What is my IP" in IE, Chrome etc it shows the IP of pfsense, but in Opera mini it is showing different IP. When I went through some docs I found out that Opera Mini appends the header with "X-Forwarded-For" with some different client IP. It is serving webpages through different proxy servers.

    Have a look at what it is capable of doing

    http://www.theregister.co.uk/2009/11/24/opera_mini_and_china/



  • Definitely block 80 and 443 on LAN.  Force everything to use the proxy or else they don't get to talk.

    Thanks for the article.  I now see that the main purpose of their proxy is to lower the bandwidth required, which may or may not speed up browsing but should lower bandwidth used on mobile.


  • Netgate Administrator

    Since the Opera proxy is not intended to bypass filtering, that's not its primary purpose, it might be possible to get a list of its proxy IP addresses and just filter all requests to them. That's if disabling Opera-mini completely is an acceptable solution to you.

    Steve


  • Banned

    @KOM:

    How is Opera getting around the firewall?  Just because an IP checker comes up with a different value??

    It does not use the DHCP assigned DNS server, and it does not use the DHCP assigned proxy either. Kinda obvious when you Google it.



  • Kinda obvious when you Google it.

    Why should I waste my precious time typing like a sucker when I've got people like you to keep me informed?  ;D



  • @stephenw10:

    I'm unsure what you're asking here. Do you want to block all access from opera-mini? Or just the sites blocked for other browsers?
    Since Opera mini is not the exclusive browser on any device (as far as I know) blocking it completely may be acceptable for you.

    Steve

    I believe blocking Opera Mini is part of the solution, their might be many other browsers which work in similar way.



  • @KOM:

    Definitely block 80 and 443 on LAN.  Force everything to use the proxy or else they don't get to talk.

    Thanks for the article.  I now see that the main purpose of their proxy is to lower the bandwidth required, which may or may not speed up browsing but should lower bandwidth used on mobile.

    Sir I am little confused here, blocking port 80/443 with anti-lockout rule disabled or with anti-lockout rule enabled?  :-\



  • blocking port 80/443 with anti-lockout rule disabled or with anti-lockout rule enabled?

    Keep the anti-lockout rule enabled and put the blocks below it.



  • @KOM:

    blocking port 80/443 with anti-lockout rule disabled or with anti-lockout rule enabled?

    Keep the anti-lockout rule enabled and put the blocks below it.

    It is still managing to pass the firewall.
    I have attached the screenshots of the rules I have entered, kindly let me know if I have erred in the rules.

    After the blocking of port 80/443 I have added IP of our DNS server and blocked rest of them in the next rule.

    I have configured NAT or you can say I am Port forwarding the traffic to 3128(HTTP) and 3129(HTTPS)

    ![NAT rules.png](/public/imported_attachments/1/NAT rules.png)
    ![NAT rules.png_thumb](/public/imported_attachments/1/NAT rules.png_thumb)
    ![LAN rules.png](/public/imported_attachments/1/LAN rules.png)
    ![LAN rules.png_thumb](/public/imported_attachments/1/LAN rules.png_thumb)


Log in to reply