Firewall failed to block the mentioned IP's

[Zent User]

As HTTP Proxy is unable to do anything with https requests,So as suggested in the forum in previous posts I've chosen Firewall to block HTTPs sites,for I've created an object which I need to block but when I'm giving https://blocked-ip or https://blocked-web-site-name then web site is opening,what's the problem ?

[Escorpiom]

Hi, this can have several causes:

- Object created wrongly (spaces, caps, underscores or dots in the names)
- The site to be blocked has several IP addresses
- The rule itself has not been set correctly
- The rule has been defined in the wrong section

Cheers.

[Zent User]

Thanks for your response,I'm attaching few images with this reply,first one is object which I've created,second one is where I've written the rule(Filtering rules for internal networks),third one is the window where blocked site is opened when I've given in site-name instead of IP.

How can we find all IP of particular web site ?

[Escorpiom]

Well, here we go...I can't view attachments due to weird restrictions on my account, so please put them on some imagehosting site so I can see them.
It's difficult to see all IP addresses for a given site, especially sites like Facebook, that is working with geolocation and load balancing. You can get one set of IP's now, another set tomorrow.
What are you trying to block? 

Cheers. 

[Zent User]

If it is difficult to block by using IP's then I don't understand what is the use of Firewall in Zentyal,why don't we have like HTTP Proxy for HTTPs.

[christian]

@Zent user:

You have created quite a lot of threads all based on one unique statement meaning more or less:
"Zentyal proxy can't block sites and Zentyal firewall doesn't work".

I will not discuss on the fact that such comment is unfair, at least at this stage. My main point is to said: "why don't you discuss this in one unique thread so that everyone can follow and understand you concern and perhaps bring solution?"

What you do doesn't make sense unless one reads everything and complies your different inputs 

[christian]

Back to your problem:

I'm pretty convinced that main issue is not with Zentyal but with your understanding of what proxy, mail and firewall are, or at least how it works.
Zentyal can perfectly block HTTP or HTTPS sites using proxy but this means that you do have to use explicit proxy (not to use transparent proxy).
Once you understand what this, technically speaking, means, if your decision (or constraint) is not to use explicit proxy, then blocking HTTPS access using firewall will be, for sure, a nightmare and you might not be satisfied with this. It doesn't mean firewall doesn't work  it means that you are using the wrong tool to reach your goal.

Can you see the difference 

Keep in mind that firewall is not the only way to restrict access to internet. You can fool browser adding entries in "/etc/hosts" file or in Zentyal DNS 
This is still not perfect as, because HTTPS doesn't use proxy, blocking access to IP address will not work but this may help a bit.

[Zent User]

@Christain

     I've posted lot of questions regarding this type issues in our fourm,even though I've not get any worthy answer upto now.Anyhow my major concern is,

   "HTTP won't block HTTPs request/sites for that we have to go for Firewall,in our efficient Firewall we need to mention only IP's in the form of objects or some thing else,if we write a rule also,Firewall make us fools when a user give like https://site-name (actually which is blocked ip by firewall)  in address bar of browser by opening the site."

[christian]

As I wrote, you just don't understand how all this stuff works 

Let me try to explain to you:

- if you use transparent proxy, then HTTPS goes directly to default gateway (here Zentyal) and bypasses HTTP prxy. This does mean that proxy access control can NOT be used in case you implement transparent proxy. If controlling access to HTTPS is a must, then using explicit proxy is mandatory and control is done at proxy level.

- if for some reason you don't want or can't use explicit proxy, you can only implement some workaround at firewall and/or DNS level but this will never block everything like proxy could do. Blocking access using IP at proxy level is not relevant here as you don't use proxy for HTTPS 

- There is nothing magic: you can't have benefit of both "transparent" and "explicit" proxy and you have to decide which one is best for you. But once decision is made, do not complain that you don't have benefit of the other design 

- Last but not least: one specific design could help you (although such approach requires to have very clear understanding of how this works): stack Zentyal with another "external" proxy implementing "man-in-the-middle" so that you can catch HTTPS transparently and aplly filtering rules.

BTW why do you write that you didn't get any answer? I can see multiple members having tried to explain to you how this works. Do you mean "no one provided me with the magic configuration I'm looking for" ?  Sure, this doesn't exists, that's it...

[Marcus]

Hello,

First off, you must understand that many "high traffic websites" are using load balancer along with multiple IPs.
From that point, you must be aware that "ubuntuone.com" does use multiple IPs.  You'll have to know all of it in order to block it using IPTables. Otherwise the DNS fallback will auto-switch/try other IPs that are listed in the "A" records.

If you are using Ubuntu for desktop;
Fire up the "Network Tool" and do a "lookup" on "ubuntuone.com". You'll see by yourself what I meant...

Enough said, this may be the solution to your problem:
In the DNS module, simply add "ubuntuone.com" with IP "127.0.0.1".

Your DNS server will redirect all requests, regardless the port or service requested, to the user's desktop (127.0.0.1).

Best,

Marcus

[christian]

Marcus,

Valid point with however some drawbacks:
- this doesn't prevent users to access HTTPS using IP address as proxy don't block it (proxy not being used for HTTPS)
- dealing with redirecto to localhopst at DNS level has one side effect that is to handle target domain in Zentyal DNS, meaning other hosts from same domain can't be reached anymore unless you maintain is because Zentyal will think to be authoritative for this domain (unless I'm wrong). Reason why I wold suggest, even if I don't like the idea  to handle it at /etc/hosts file level.
- this also assumes that users are using Zentyal DNS, which is not guaranteed. Remeber that in transparent proxy mode, name resolution is done at browser level while done at Zentyal level when using explicit proxy.

[Zent User]

Ya,Christian is right,I've tried how Marcus suggested,it worked fine but when I given like https://ip-address except SSL certificate error,I'm able to access the web site which I've redirect to 127.0.0.1 by using DNS,I think its not correct approach.

[christian]

OK, we can discuss forever but the only one correct approach to control as much as possible is to use proxy in explicit mode at least until someone implements transparent proxy with man-in-the-middle.

It doesn't mean that transparent proxy can't be used but if used, you have to understand the side effect (like you have to understand side effect of explicit proxy that is to either configure proxy on each browser or to implement WPAD which is not available out-of-the-box with Zentyal.

With some advanced users, we can discuss other side effects like "safe proxy ports" and stuff like this but this is another story, furthermore already discussed at length h=in this forum.

Not to jeopardize everything, keep also in mind that even with explicit proxy, you can hardly prevent user to access external so called "free proxy" from which bounce to facebook or whatever is still feasible. Workaround is to block access to these proxies too in your own proxy. Hopefully, most are using IP address instead of FQDN, thus as blocking access to IP address is easy when using explicit proxy, you are quite safe, even if not 100%