• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How block Streaming media protocols

Scheduled Pinned Locked Moved Firewalling
9 Posts 3 Posters 5.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    sangour111
    last edited by Nov 28, 2015, 9:38 AM

    please
    how block Streaming media protocols:  RTMP, PNM, RTSP, MMS, RTSPU, RTSPT, MMSU, MMST in pfsense

    1 Reply Last reply Reply Quote 0
    • H
      Harvy66
      last edited by Nov 28, 2015, 3:29 PM

      Most media streaming is over HTTP or HTTPS now days. I guess if you wanted to block protocols, then you'd block those two.

      If you want to block media streaming and not the protocols, then you need something that can inspect HTTP/HTTPS and decide if the connection needs to be killed. Depending on your environment, you may or may not be able to do this. HTTPS requires a min-in-the-middle attack to inspect, which is illegal in many context, and even if legal, opens up your clients to a slew of most horrible security exploits ranging from getting bank information stolen to remotely installing malware on computers.

      1 Reply Last reply Reply Quote 0
      • S
        sangour111
        last edited by Nov 29, 2015, 12:01 PM

        @Harvy66:

        Most media streaming is over HTTP or HTTPS now days. I guess if you wanted to block protocols, then you'd block those two.

        If you want to block media streaming and not the protocols, then you need something that can inspect HTTP/HTTPS and decide if the connection needs to be killed. Depending on your environment, you may or may not be able to do this. HTTPS requires a min-in-the-middle attack to inspect, which is illegal in many context, and even if legal, opens up your clients to a slew of most horrible security exploits ranging from getting bank information stolen to remotely installing malware on computers.

        Thank you
        there is no solution to block  :-\ :-\ :-\

        1 Reply Last reply Reply Quote 0
        • H
          Harvy66
          last edited by Nov 29, 2015, 3:31 PM

          There are solutions, they're just inherently unsafe for HTTPS. If you don't go the route of a proxy, you can still block DNS entries to make sites like youtube.com not resolve. Some knowledgeable users could get around this, but they should stand out with high amounts of HTTP/HTTPS traffic to IP addresses that reverse resolve to ones in your blacklist.

          1 Reply Last reply Reply Quote 0
          • S
            sangour111
            last edited by Dec 1, 2015, 2:41 PM

            @Harvy66:

            There are solutions, they're just inherently unsafe for HTTPS. If you don't go the route of a proxy, you can still block DNS entries to make sites like youtube.com not resolve. Some knowledgeable users could get around this, but they should stand out with high amounts of HTTP/HTTPS traffic to IP addresses that reverse resolve to ones in your blacklist.

            DNS block all user with no exception this is the problem.
            please give a solution no problém with HTTP/HTTPS traffic

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by Dec 1, 2015, 2:51 PM

              "DNS block all user with no exception this is the problem"

              Says who - you can use views to have some users resolve something and others not.  You could have users that are not blocked use nameserver X while users that are blocked to use Y.

              There are plenty of solutions to this problem.  Content filtering with proxy, blocking resolving via dns.  Blocking rules based upon port and destination.  If you want to block https to IP 1.2.3.4 and only have specific IPs blocked from your network that is a simple firewall rule.  Problem is most of this media is served up off large CDN and have vast amounts of ips that change all the time..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • S
                sangour111
                last edited by Dec 1, 2015, 3:14 PM

                @johnpoz:

                "DNS block all user with no exception this is the problem"

                Says who - you can use views to have some users resolve something and others not.  You could have users that are not blocked use nameserver X while users that are blocked to use Y.

                There are plenty of solutions to this problem.  Content filtering with proxy, blocking resolving via dns.  Blocking rules based upon port and destination.  If you want to block https to IP 1.2.3.4 and only have specific IPs blocked from your network that is a simple firewall rule.  Problem is most of this media is served up off large CDN and have vast amounts of ips that change all the time..

                thanks
                please have you example with DNS BLOCK  :(
                or any other solution

                1 Reply Last reply Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator
                  last edited by Dec 1, 2015, 4:24 PM

                  What dns are you using?  resolver and forwarder in pfsense do not allow for views… You would have to use bind.

                  create a view with the Ips you want to all normal access.. 
                  create a view with the ips you don't want normal access, in this view assign zones for domains you don't want to go to, etc..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • S
                    sangour111
                    last edited by Dec 3, 2015, 8:24 AM

                    @johnpoz:

                    What dns are you using?  resolver and forwarder in pfsense do not allow for views… You would have to use bind.

                    create a view with the Ips you want to all normal access.. 
                    create a view with the ips you don't want normal access, in this view assign zones for domains you don't want to go to, etc..

                    i 'm not install bind
                    juste i use dns forwarder

                    "DNS block all user with no exception this is the problem"

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received