Bypass rules for Netflix AWS servers?



  • I've tried again and again but I am unable to correctly allow netflix to bypass VPN with alias entries in firewall rules.

    At one point, I had a list which contains 35000 IP entries from using pfblockerNG to gather ASN entries.

    Still somehow netflix detected my VPN.

    Does anyone have any info on this or help?  Is it more complicated than just accessing the AWS servers from IP, does it matter which DNS server is resolving netflix's domain?



  • Update, not sure if I'm reading the states correctly, but somehow even my 1500 alias list of networks being used in a rule, still the rule after (to pass other traffic) shows leaking.

    What I mean is, the IP belongs in the /24 of that network yet it still got evaluated passed the "netflix" rule into the next rule.

    Is this normal or just something with pfsense can't filter that many networks?


  • LAYER 8 Global Moderator

    Dude what are you trying to do exactly??  You have some policy based rule sending traffic out to some vpn gateway, and you want a device not to use it, or all devices not to use it when going to a specific location?

    Lets see your rules on this interface..  Rules are top down, first rule wins.. If you do not want something to go out a vpn interface on pfsense then you need to have a rule above that allows that traffic.



  • @johnpoz:

    Dude what are you trying to do exactly??  You have some policy based rule sending traffic out to some vpn gateway, and you want a device not to use it, or all devices not to use it when going to a specific location?

    Lets see your rules on this interface..  Rules are top down, first rule wins.. If you do not want something to go out a vpn interface on pfsense then you need to have a rule above that allows that traffic.

    Yup exactly as you said.

    I purposely blocked the last rule so nothing can go out except what's listed in that alias.  The alias is just whitelist of Netflix's CDN servers.  It's a list about 1500 networks.  An excerpt of the alias is:

    23.20.0.0/15
    50.16.0.0/16
    50.19.128.0/17

    etc etc

    I can't load up netflix, it doesn't stream which means something is not working.  I check the states of the rule and some IP like eg:  23.20.0.12 is being evaluated, when it shouldn't have even gone passed the 2nd rule since 23.20.0.12 is in 23.20.0.0/15 subnet correct?



  • LAYER 8 Global Moderator

    netflix likes to use outside dns… So that would not be passed by your rfc1918 alias..  So you would need a rule to let it out dns I would think as well.

    I would log on your last rule to see what pfsense is blocking that its trying to do.

    edit:
    Wouldn't it be easier to just put in the IP of your netflix devices and let them go anywhere they want vs trying to whitelist everywhere they might go?



  • How do you log a rule?



  • Not easy to just allow device since netflix is use on mobile devices and desktop machines.


  • LAYER 8 Global Moderator

    To log a rule, edit it and check the little box that log near bottom of the form.




  • Checked, and somehow pfsense fails to filter out rule, maybe there's a limit on how many networks you can have?

    One specific example I checked from firewall logs:

    S:  10.1.1.2:45900   D:  50.112.127.218:443   TCP:S

    In my alias rules there is one line:

    50.112.0.0/17

    /17 = 50.112.0.1 to 50.112.127.254, clearly that IP falls into the range.

    So I chalk this up to either too large of alias network list or pfsense bug.


  • LAYER 8 Global Moderator

    Would seem odd for something to get missed, is that entry at the end of the list where might not of gotten loaded like you said if the alias list is too long?

    Where did you come up with the /17, I show amazon owning that whole /16

    NetRange:      50.112.0.0 - 50.112.255.255
    CIDR:          50.112.0.0/16
    NetName:        AMAZON-EC2-USWESTOR



  • @johnpoz:

    Would seem odd for something to get missed, is that entry at the end of the list where might not of gotten loaded like you said if the alias list is too long?

    Where did you come up with the /17, I show amazon owning that whole /16

    NetRange:      50.112.0.0 - 50.112.255.255
    CIDR:          50.112.0.0/16
    NetName:        AMAZON-EC2-USWESTOR

    Line 2550 out of 3409 in the lastest version of this alias I'm testing.

    So not really near the end.

    I use https://ipinfo.io/ and filter by ASN after I find an IP address that's not part of current list of ASN.

    Not sure another way to do this but it seems hopeless as 3400+ networks is crazy enough.

    I'm pretty sure netflix doesn't use all of them to host, but problem is finding which ones are used for Canada.


  • LAYER 8 Global Moderator

    well you could log the traffic and just open up the networks that are being blocked for netflix.

    Still a bit hazy on what your trying to do exactly?  Why do you want these devices to only use netflix and nothing else?



  • @johnpoz:

    well you could log the traffic and just open up the networks that are being blocked for netflix.

    Still a bit hazy on what your trying to do exactly?  Why do you want these devices to only use netflix and nothing else?

    It's dynamic though, that's why another post on reddit someone used ASN to filter out the whole range of networks.

    I don't want to block it, I just want any device streaming netflix to not use a VPN gateway, obviously because netflix blocks any VPN usage.

    It's really horrible how people that want to use netflix, will have to disable their security for internet use so that netflix satisfies the content providers aging concepts of geographical rules.

    It would be simpler for netflix just to match the billing country with access of that account so people could use a VPN in same country.

    What's stopping me from hosting my pfsense firewall as a OpenVPN server for friends/family who aren't in Canada to watch netflix?


  • LAYER 8 Global Moderator

    "obviously because netflix blocks any VPN usage."

    They don't block all vpn usage, they only block vpn providers they know about ;)

    How exactly are you using your vpn as security?  You feel that your isp is spying on you?  So you want to tunnel your traffic past your isp?  Your willing to not hide your netflix traffic it seems ;)

    So why don't you just tunnel the specific dest you want to hide from your isp down the vpn.. This would be a simpler solution then try and map out the huge CDN that could be used to serve netflix and not send that down the tunnel.

    I could see using a vpn if your on network that is open, say a hotspot or something..  But I really don't get the desire to hide all your traffic from your isp.  Seems your making your life difficult for what exactly?  Hiding that you go to pfsense.org from your isp??



  • Snowden

    :)

    It's not that I have something to hide, but I don't want my traffic/logs/generated data to be analyzed if not now, but in the future by my government and at that time deemed to be flagged for investigation.

    Lots of good info on here:

    http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html

    If I'm at a hotspot, I would just use my pfsense VPN to login and not bother with the other providers as even my VPN server has VPN gateway.

    I don't believe in the concept of "If you have nothing to hide, then why hide it"

    @johnpoz:

    "obviously because netflix blocks any VPN usage."

    They don't block all vpn usage, they only block vpn providers they know about ;)

    How exactly are you using your vpn as security?  You feel that your isp is spying on you?  So you want to tunnel your traffic past your isp?  Your willing to not hide your netflix traffic it seems ;)

    So why don't you just tunnel the specific dest you want to hide from your isp down the vpn.. This would be a simpler solution then try and map out the huge CDN that could be used to serve netflix and not send that down the tunnel.

    I could see using a vpn if your on network that is open, say a hotspot or something..  But I really don't get the desire to hide all your traffic from your isp.  Seems your making your life difficult for what exactly?  Hiding that you go to pfsense.org from your isp??


  • LAYER 8 Global Moderator

    You do understand your just handing over all your traffic to the vpn provider ;)  And they very well could be handing over all of that info to your gov, or the ninjas in black..

    Your not really hiding what your doing with a vpn, your just moving the unencrypted endpoint of your traffic to a different spot.. Seems to me your going to a lot of headache for no real reason to be honest.

    Most of your traffic should be encrypted these days anyway.. So all your isp would know is that you talked to this IP via https for example.. What you did in that tunnel would be anyones guess.

    As to if the gov wanted to spy on you.. Pretty sure they would just infect your machines and get all the info they wanted right from the source..

    I am all for the encryption of traffic to and from 2 people..  For example your isp doesn't really need to know what you ordered off amazon just by sniffing the traffic at their router..  But trying to hide the fact that you went to amazon from your isp is a bit over the top if you ask me.

    Good luck mapping out the thousands of networks that neflix might use to serve up their content..  Which most likely changes by the hour..



  • @OP: You wouldn't happen to be running Squid would you?



  • @johnpoz:

    You do understand your just handing over all your traffic to the vpn provider ;)  And they very well could be handing over all of that info to your gov, or the ninjas in black..

    Your not really hiding what your doing with a vpn, your just moving the unencrypted endpoint of your traffic to a different spot.. Seems to me your going to a lot of headache for no real reason to be honest.

    Most of your traffic should be encrypted these days anyway.. So all your isp would know is that you talked to this IP via https for example.. What you did in that tunnel would be anyones guess.

    As to if the gov wanted to spy on you.. Pretty sure they would just infect your machines and get all the info they wanted right from the source..

    I am all for the encryption of traffic to and from 2 people..  For example your isp doesn't really need to know what you ordered off amazon just by sniffing the traffic at their router..  But trying to hide the fact that you went to amazon from your isp is a bit over the top if you ask me.

    Good luck mapping out the thousands of networks that neflix might use to serve up their content..  Which most likely changes by the hour..

    It's more for real time decryption of traffic.  NSA is able to decrypt even some OpenVPN and most HTTPS traffic.  Going through a VPN at least there's a bit more encryption using 128AES or whatever encryption they offer.



  • @AR15USR:

    @OP: You wouldn't happen to be running Squid would you?

    Nope nothing.



  • @FlashEngineer:

    @johnpoz:

    You do understand your just handing over all your traffic to the vpn provider ;)  And they very well could be handing over all of that info to your gov, or the ninjas in black..

    Your not really hiding what your doing with a vpn, your just moving the unencrypted endpoint of your traffic to a different spot.. Seems to me your going to a lot of headache for no real reason to be honest.

    Most of your traffic should be encrypted these days anyway.. So all your isp would know is that you talked to this IP via https for example.. What you did in that tunnel would be anyones guess.

    As to if the gov wanted to spy on you.. Pretty sure they would just infect your machines and get all the info they wanted right from the source..

    I am all for the encryption of traffic to and from 2 people..  For example your isp doesn't really need to know what you ordered off amazon just by sniffing the traffic at their router..  But trying to hide the fact that you went to amazon from your isp is a bit over the top if you ask me.

    Good luck mapping out the thousands of networks that neflix might use to serve up their content..  Which most likely changes by the hour..

    It's more for real time decryption of traffic.  NSA is able to decrypt even some OpenVPN and most HTTPS traffic.  Going through a VPN at least there's a bit more encryption using 128AES or whatever encryption they offer.

    While I'm not at liberty give details on what can/can't be decrypted - I can assure you VPN can, and is, decrypted at times - and it certainly doesn't take the NSA's resources to do it.



  • While I'm not at liberty give details on what can/can't be decrypted - I can assure you VPN can, and is, decrypted at times - and it certainly doesn't take the NSA's resources to do it.

    Not doubting you, but I'd like to see proof of that…



  • Go to blackhat this summer, there are always interesting proof of concepts there.

    The issue is that it isn't practical for most to do in brute force. It is much easier to crack/get the VPN password from a client and then decrypt natively via interception. Obviously that is a multi-step / multi-factor circumvention of the encrypted tunnel, but still possible.

    VPN is still useful, and still overall effective. It just isn't 100% guaranteed to be such if you have a determined attacker. But for anything else it can hold up (unless they compromise one of your VPN endpoint/clients directly… ;) ).


Log in to reply