Blocking 443



  • I have one computer on x.x.x.125 (static) that I would like to block port 443. I had set up the rule below:

    Action: block
    Interface: LAN
    Source: x.x.x.125
    Destination port: 443 to 443

    It's listed above the default rules (except the anti lockout rule)

    When I turn the rule on, it blocks all traffic from x.x.x.125 instead of just port 443.

    Could someone give me a hint on what I may have set incorrectly?

    (Backstory in case anyone is interested: I have dansguardian with squid up, but the users on this system are using https proxy sites to bypass the filter.)


  • LAYER 8 Global Moderator

    can you post a screenshot of your rules..

    Are you using public IPs.. why the x.x.x if the address is rfc1918??



  • I'll have to find a host for an image.

    As to the x.x.x, I'm just used to it for documentation. Been writing lots of documentation. The full address is 10.102.1.125.



  • I'll have to find a host for an image.

    You can post images directly to the forum.



  • Here are the rules. The rule is currently disabled to allow internet access on the computer



  • LAYER 8 Global Moderator

    Well that looks correct.. It would only fire on traffic going to 443 udp and tcp.. If traffic was to anything else it would fall through and your any any rule would fire.

    Sure is internet is broke because he is using a proxy over 443 and you blocked that ;)



  • Heh. Yea, except I came and visited the computer and couldn't access via port a
    80 either. Strange. At least I know the rule is correct. I'll chase down other possibilities. Thanks for taking a look!



  • Final need, how would I go about allowing the user to get to Google.com (requires https) I know that they have quite a few ip addresses, is there an updated list for all of googles ip addresses. (Both for .com and .com.ua as I live in Ukraine).

    As to the Internet not being available, seems our router hiccuped at the time of the visit to the machine. ;)



  • It could also perhaps be a server that redirects to 443 from 80.


  • LAYER 8 Global Moderator

    what exactly where you testing too on 80, so is it still not working or was it your router hiccup when you were at machine?  As stated there are many sites that redirect to 443 now a days.  So could of been one of those..  I just checked and unless its my browser with a cache something even www.pfsense.org redirects to 443.

    Blocking 443 is going to break a lot of internet for this IP..  Prob better to try and block the proxies he is using with a list?  Its an uphill battle to be sure



  • For port 80, I used bbc.com to validate the Internet still works with the block. As to blocking individual sites, there are just too many, and new ones are created every day.

    I can see http site logs through light squid to see what is being accessed, but short of putting in a man in the middle, I'm not sure how I could see what https sites are being accessed… Yes, I'm still fairly new to this.

    These are teenaged kids using this computer "for homework", and our view is to block everything and release as needed, since they keep using it for inappropriate sites and we can't be within viewing range 24/7.


  • LAYER 8 Global Moderator

    you do know proxies run on lots of different ports not just 80 or 443..



  • Yea… This is temporary until e2guardian is ready to use with Pfsense. But seems that on hold until the next major release.


Log in to reply