How block Streaming media protocols



  • please
    how block Streaming media protocols:  RTMP, PNM, RTSP, MMS, RTSPU, RTSPT, MMSU, MMST in pfsense



  • Most media streaming is over HTTP or HTTPS now days. I guess if you wanted to block protocols, then you'd block those two.

    If you want to block media streaming and not the protocols, then you need something that can inspect HTTP/HTTPS and decide if the connection needs to be killed. Depending on your environment, you may or may not be able to do this. HTTPS requires a min-in-the-middle attack to inspect, which is illegal in many context, and even if legal, opens up your clients to a slew of most horrible security exploits ranging from getting bank information stolen to remotely installing malware on computers.



  • @Harvy66:

    Most media streaming is over HTTP or HTTPS now days. I guess if you wanted to block protocols, then you'd block those two.

    If you want to block media streaming and not the protocols, then you need something that can inspect HTTP/HTTPS and decide if the connection needs to be killed. Depending on your environment, you may or may not be able to do this. HTTPS requires a min-in-the-middle attack to inspect, which is illegal in many context, and even if legal, opens up your clients to a slew of most horrible security exploits ranging from getting bank information stolen to remotely installing malware on computers.

    Thank you
    there is no solution to block  :-\ :-\ :-\



  • There are solutions, they're just inherently unsafe for HTTPS. If you don't go the route of a proxy, you can still block DNS entries to make sites like youtube.com not resolve. Some knowledgeable users could get around this, but they should stand out with high amounts of HTTP/HTTPS traffic to IP addresses that reverse resolve to ones in your blacklist.



  • @Harvy66:

    There are solutions, they're just inherently unsafe for HTTPS. If you don't go the route of a proxy, you can still block DNS entries to make sites like youtube.com not resolve. Some knowledgeable users could get around this, but they should stand out with high amounts of HTTP/HTTPS traffic to IP addresses that reverse resolve to ones in your blacklist.

    DNS block all user with no exception this is the problem.
    please give a solution no problém with HTTP/HTTPS traffic


  • LAYER 8 Global Moderator

    "DNS block all user with no exception this is the problem"

    Says who - you can use views to have some users resolve something and others not.  You could have users that are not blocked use nameserver X while users that are blocked to use Y.

    There are plenty of solutions to this problem.  Content filtering with proxy, blocking resolving via dns.  Blocking rules based upon port and destination.  If you want to block https to IP 1.2.3.4 and only have specific IPs blocked from your network that is a simple firewall rule.  Problem is most of this media is served up off large CDN and have vast amounts of ips that change all the time..



  • @johnpoz:

    "DNS block all user with no exception this is the problem"

    Says who - you can use views to have some users resolve something and others not.  You could have users that are not blocked use nameserver X while users that are blocked to use Y.

    There are plenty of solutions to this problem.  Content filtering with proxy, blocking resolving via dns.  Blocking rules based upon port and destination.  If you want to block https to IP 1.2.3.4 and only have specific IPs blocked from your network that is a simple firewall rule.  Problem is most of this media is served up off large CDN and have vast amounts of ips that change all the time..

    thanks
    please have you example with DNS BLOCK  :(
    or any other solution


  • LAYER 8 Global Moderator

    What dns are you using?  resolver and forwarder in pfsense do not allow for views… You would have to use bind.

    create a view with the Ips you want to all normal access.. 
    create a view with the ips you don't want normal access, in this view assign zones for domains you don't want to go to, etc..



  • @johnpoz:

    What dns are you using?  resolver and forwarder in pfsense do not allow for views… You would have to use bind.

    create a view with the Ips you want to all normal access.. 
    create a view with the ips you don't want normal access, in this view assign zones for domains you don't want to go to, etc..

    i 'm not install bind
    juste i use dns forwarder

    "DNS block all user with no exception this is the problem"


Log in to reply