Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Bypass rules for Netflix AWS servers?

    Firewalling
    4
    22
    5011
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      FlashEngineer last edited by

      I've tried again and again but I am unable to correctly allow netflix to bypass VPN with alias entries in firewall rules.

      At one point, I had a list which contains 35000 IP entries from using pfblockerNG to gather ASN entries.

      Still somehow netflix detected my VPN.

      Does anyone have any info on this or help?  Is it more complicated than just accessing the AWS servers from IP, does it matter which DNS server is resolving netflix's domain?

      1 Reply Last reply Reply Quote 0
      • F
        FlashEngineer last edited by

        Update, not sure if I'm reading the states correctly, but somehow even my 1500 alias list of networks being used in a rule, still the rule after (to pass other traffic) shows leaking.

        What I mean is, the IP belongs in the /24 of that network yet it still got evaluated passed the "netflix" rule into the next rule.

        Is this normal or just something with pfsense can't filter that many networks?

        1 Reply Last reply Reply Quote 0
        • johnpoz
          johnpoz LAYER 8 Global Moderator last edited by

          Dude what are you trying to do exactly??  You have some policy based rule sending traffic out to some vpn gateway, and you want a device not to use it, or all devices not to use it when going to a specific location?

          Lets see your rules on this interface..  Rules are top down, first rule wins.. If you do not want something to go out a vpn interface on pfsense then you need to have a rule above that allows that traffic.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

          1 Reply Last reply Reply Quote 0
          • F
            FlashEngineer last edited by

            @johnpoz:

            Dude what are you trying to do exactly??  You have some policy based rule sending traffic out to some vpn gateway, and you want a device not to use it, or all devices not to use it when going to a specific location?

            Lets see your rules on this interface..  Rules are top down, first rule wins.. If you do not want something to go out a vpn interface on pfsense then you need to have a rule above that allows that traffic.

            Yup exactly as you said.

            I purposely blocked the last rule so nothing can go out except what's listed in that alias.  The alias is just whitelist of Netflix's CDN servers.  It's a list about 1500 networks.  An excerpt of the alias is:

            23.20.0.0/15
            50.16.0.0/16
            50.19.128.0/17

            etc etc

            I can't load up netflix, it doesn't stream which means something is not working.  I check the states of the rule and some IP like eg:  23.20.0.12 is being evaluated, when it shouldn't have even gone passed the 2nd rule since 23.20.0.12 is in 23.20.0.0/15 subnet correct?


            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by

              netflix likes to use outside dns… So that would not be passed by your rfc1918 alias..  So you would need a rule to let it out dns I would think as well.

              I would log on your last rule to see what pfsense is blocking that its trying to do.

              edit:
              Wouldn't it be easier to just put in the IP of your netflix devices and let them go anywhere they want vs trying to whitelist everywhere they might go?

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

              1 Reply Last reply Reply Quote 0
              • F
                FlashEngineer last edited by

                How do you log a rule?

                1 Reply Last reply Reply Quote 0
                • F
                  FlashEngineer last edited by

                  Not easy to just allow device since netflix is use on mobile devices and desktop machines.

                  1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator last edited by

                    To log a rule, edit it and check the little box that log near bottom of the form.


                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                    1 Reply Last reply Reply Quote 0
                    • F
                      FlashEngineer last edited by

                      Checked, and somehow pfsense fails to filter out rule, maybe there's a limit on how many networks you can have?

                      One specific example I checked from firewall logs:

                      S:  10.1.1.2:45900   D:  50.112.127.218:443   TCP:S

                      In my alias rules there is one line:

                      50.112.0.0/17

                      /17 = 50.112.0.1 to 50.112.127.254, clearly that IP falls into the range.

                      So I chalk this up to either too large of alias network list or pfsense bug.

                      1 Reply Last reply Reply Quote 0
                      • johnpoz
                        johnpoz LAYER 8 Global Moderator last edited by

                        Would seem odd for something to get missed, is that entry at the end of the list where might not of gotten loaded like you said if the alias list is too long?

                        Where did you come up with the /17, I show amazon owning that whole /16

                        NetRange:      50.112.0.0 - 50.112.255.255
                        CIDR:          50.112.0.0/16
                        NetName:        AMAZON-EC2-USWESTOR

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                        1 Reply Last reply Reply Quote 0
                        • F
                          FlashEngineer last edited by

                          @johnpoz:

                          Would seem odd for something to get missed, is that entry at the end of the list where might not of gotten loaded like you said if the alias list is too long?

                          Where did you come up with the /17, I show amazon owning that whole /16

                          NetRange:      50.112.0.0 - 50.112.255.255
                          CIDR:          50.112.0.0/16
                          NetName:        AMAZON-EC2-USWESTOR

                          Line 2550 out of 3409 in the lastest version of this alias I'm testing.

                          So not really near the end.

                          I use https://ipinfo.io/ and filter by ASN after I find an IP address that's not part of current list of ASN.

                          Not sure another way to do this but it seems hopeless as 3400+ networks is crazy enough.

                          I'm pretty sure netflix doesn't use all of them to host, but problem is finding which ones are used for Canada.

                          1 Reply Last reply Reply Quote 0
                          • johnpoz
                            johnpoz LAYER 8 Global Moderator last edited by

                            well you could log the traffic and just open up the networks that are being blocked for netflix.

                            Still a bit hazy on what your trying to do exactly?  Why do you want these devices to only use netflix and nothing else?

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                            1 Reply Last reply Reply Quote 0
                            • F
                              FlashEngineer last edited by

                              @johnpoz:

                              well you could log the traffic and just open up the networks that are being blocked for netflix.

                              Still a bit hazy on what your trying to do exactly?  Why do you want these devices to only use netflix and nothing else?

                              It's dynamic though, that's why another post on reddit someone used ASN to filter out the whole range of networks.

                              I don't want to block it, I just want any device streaming netflix to not use a VPN gateway, obviously because netflix blocks any VPN usage.

                              It's really horrible how people that want to use netflix, will have to disable their security for internet use so that netflix satisfies the content providers aging concepts of geographical rules.

                              It would be simpler for netflix just to match the billing country with access of that account so people could use a VPN in same country.

                              What's stopping me from hosting my pfsense firewall as a OpenVPN server for friends/family who aren't in Canada to watch netflix?

                              1 Reply Last reply Reply Quote 0
                              • johnpoz
                                johnpoz LAYER 8 Global Moderator last edited by

                                "obviously because netflix blocks any VPN usage."

                                They don't block all vpn usage, they only block vpn providers they know about ;)

                                How exactly are you using your vpn as security?  You feel that your isp is spying on you?  So you want to tunnel your traffic past your isp?  Your willing to not hide your netflix traffic it seems ;)

                                So why don't you just tunnel the specific dest you want to hide from your isp down the vpn.. This would be a simpler solution then try and map out the huge CDN that could be used to serve netflix and not send that down the tunnel.

                                I could see using a vpn if your on network that is open, say a hotspot or something..  But I really don't get the desire to hide all your traffic from your isp.  Seems your making your life difficult for what exactly?  Hiding that you go to pfsense.org from your isp??

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                                1 Reply Last reply Reply Quote 0
                                • F
                                  FlashEngineer last edited by

                                  Snowden

                                  :)

                                  It's not that I have something to hide, but I don't want my traffic/logs/generated data to be analyzed if not now, but in the future by my government and at that time deemed to be flagged for investigation.

                                  Lots of good info on here:

                                  http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html

                                  If I'm at a hotspot, I would just use my pfsense VPN to login and not bother with the other providers as even my VPN server has VPN gateway.

                                  I don't believe in the concept of "If you have nothing to hide, then why hide it"

                                  @johnpoz:

                                  "obviously because netflix blocks any VPN usage."

                                  They don't block all vpn usage, they only block vpn providers they know about ;)

                                  How exactly are you using your vpn as security?  You feel that your isp is spying on you?  So you want to tunnel your traffic past your isp?  Your willing to not hide your netflix traffic it seems ;)

                                  So why don't you just tunnel the specific dest you want to hide from your isp down the vpn.. This would be a simpler solution then try and map out the huge CDN that could be used to serve netflix and not send that down the tunnel.

                                  I could see using a vpn if your on network that is open, say a hotspot or something..  But I really don't get the desire to hide all your traffic from your isp.  Seems your making your life difficult for what exactly?  Hiding that you go to pfsense.org from your isp??

                                  1 Reply Last reply Reply Quote 0
                                  • johnpoz
                                    johnpoz LAYER 8 Global Moderator last edited by

                                    You do understand your just handing over all your traffic to the vpn provider ;)  And they very well could be handing over all of that info to your gov, or the ninjas in black..

                                    Your not really hiding what your doing with a vpn, your just moving the unencrypted endpoint of your traffic to a different spot.. Seems to me your going to a lot of headache for no real reason to be honest.

                                    Most of your traffic should be encrypted these days anyway.. So all your isp would know is that you talked to this IP via https for example.. What you did in that tunnel would be anyones guess.

                                    As to if the gov wanted to spy on you.. Pretty sure they would just infect your machines and get all the info they wanted right from the source..

                                    I am all for the encryption of traffic to and from 2 people..  For example your isp doesn't really need to know what you ordered off amazon just by sniffing the traffic at their router..  But trying to hide the fact that you went to amazon from your isp is a bit over the top if you ask me.

                                    Good luck mapping out the thousands of networks that neflix might use to serve up their content..  Which most likely changes by the hour..

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      AR15USR last edited by

                                      @OP: You wouldn't happen to be running Squid would you?


                                      2.4.5-RELEASE-p1 (amd64)

                                      1 Reply Last reply Reply Quote 0
                                      • F
                                        FlashEngineer last edited by

                                        @johnpoz:

                                        You do understand your just handing over all your traffic to the vpn provider ;)  And they very well could be handing over all of that info to your gov, or the ninjas in black..

                                        Your not really hiding what your doing with a vpn, your just moving the unencrypted endpoint of your traffic to a different spot.. Seems to me your going to a lot of headache for no real reason to be honest.

                                        Most of your traffic should be encrypted these days anyway.. So all your isp would know is that you talked to this IP via https for example.. What you did in that tunnel would be anyones guess.

                                        As to if the gov wanted to spy on you.. Pretty sure they would just infect your machines and get all the info they wanted right from the source..

                                        I am all for the encryption of traffic to and from 2 people..  For example your isp doesn't really need to know what you ordered off amazon just by sniffing the traffic at their router..  But trying to hide the fact that you went to amazon from your isp is a bit over the top if you ask me.

                                        Good luck mapping out the thousands of networks that neflix might use to serve up their content..  Which most likely changes by the hour..

                                        It's more for real time decryption of traffic.  NSA is able to decrypt even some OpenVPN and most HTTPS traffic.  Going through a VPN at least there's a bit more encryption using 128AES or whatever encryption they offer.

                                        1 Reply Last reply Reply Quote 0
                                        • F
                                          FlashEngineer last edited by

                                          @AR15USR:

                                          @OP: You wouldn't happen to be running Squid would you?

                                          Nope nothing.

                                          1 Reply Last reply Reply Quote 0
                                          • J
                                            JasonJoel last edited by

                                            @FlashEngineer:

                                            @johnpoz:

                                            You do understand your just handing over all your traffic to the vpn provider ;)  And they very well could be handing over all of that info to your gov, or the ninjas in black..

                                            Your not really hiding what your doing with a vpn, your just moving the unencrypted endpoint of your traffic to a different spot.. Seems to me your going to a lot of headache for no real reason to be honest.

                                            Most of your traffic should be encrypted these days anyway.. So all your isp would know is that you talked to this IP via https for example.. What you did in that tunnel would be anyones guess.

                                            As to if the gov wanted to spy on you.. Pretty sure they would just infect your machines and get all the info they wanted right from the source..

                                            I am all for the encryption of traffic to and from 2 people..  For example your isp doesn't really need to know what you ordered off amazon just by sniffing the traffic at their router..  But trying to hide the fact that you went to amazon from your isp is a bit over the top if you ask me.

                                            Good luck mapping out the thousands of networks that neflix might use to serve up their content..  Which most likely changes by the hour..

                                            It's more for real time decryption of traffic.  NSA is able to decrypt even some OpenVPN and most HTTPS traffic.  Going through a VPN at least there's a bit more encryption using 128AES or whatever encryption they offer.

                                            While I'm not at liberty give details on what can/can't be decrypted - I can assure you VPN can, and is, decrypted at times - and it certainly doesn't take the NSA's resources to do it.

                                            1 Reply Last reply Reply Quote 0
                                            • A
                                              AR15USR last edited by

                                              While I'm not at liberty give details on what can/can't be decrypted - I can assure you VPN can, and is, decrypted at times - and it certainly doesn't take the NSA's resources to do it.

                                              Not doubting you, but I'd like to see proof of that…


                                              2.4.5-RELEASE-p1 (amd64)

                                              1 Reply Last reply Reply Quote 0
                                              • J
                                                JasonJoel last edited by

                                                Go to blackhat this summer, there are always interesting proof of concepts there.

                                                The issue is that it isn't practical for most to do in brute force. It is much easier to crack/get the VPN password from a client and then decrypt natively via interception. Obviously that is a multi-step / multi-factor circumvention of the encrypted tunnel, but still possible.

                                                VPN is still useful, and still overall effective. It just isn't 100% guaranteed to be such if you have a determined attacker. But for anything else it can hold up (unless they compromise one of your VPN endpoint/clients directly… ;) ).

                                                1 Reply Last reply Reply Quote 0
                                                • First post
                                                  Last post