Dans guardian is failing to block https://www.facebook.com

[asaidi]

Hi,

My Dans guardian is able to block a user from accessing http://www.facebook.com.  Some clever users on my network are able to bypass it by just typing https://www.facebook.com.  How do I block this?

I don't want to block https as a whole but just the specific facebook site.  My email is using https.

Thanks

[linuxmaniac]

hey

I also like to know how to block the HTTPS sites that are listed in the content filter but allow all others to pass?

thx

[Jaime Soriano]

Hi,

We don't support https filtering with the proxy module, but you can block the IPs in the firewall, for that:
- Create an object for this service
- Use dig or any other tool to get the IPs providing the service
- Add these IPs to the object
- Add a firewall rule for internal networks to block the access to this object

You can also configure DNS to resolve the address to block to a different address, but this is easier to bypass using other DNSs.

Regards,

[linuxmaniac]

hey,

Thx for the quick reply, but in my case this solution wont work, for two reasons.

1-> I'm not using the firewall of Zentyal in this case.
2-> I'm giving the permission based on groups, so in an other word I want other people to browse this site.

Regards

[Jaime Soriano]

Hi,

1-> I'm not using the firewall of Zentyal in this case.

Althougth it is a bit tricky, this is currently the only way to block non-HTTP services with Zentyal.

2-> I'm giving the permission based on groups, so in an other word I want other people to browse this site.

It's hard to do groups-based filtering of HTTPS while maintaining the chains of trust, and it's not currently supported by Zentyal at all. The most similar feature is to filter the services as I explained you in the previous message, but also creating objects with your machines and configuring the filters with them as source objects.

Regards,

[linuxmaniac]

Hi,

1-> I'm not using the firewall of Zentyal in this case.

Althougth it is a bit tricky, this is currently the only way to block non-HTTP services with Zentyal.

2-> I'm giving the permission based on groups, so in an other word I want other people to browse this site.

It's hard to do groups-based filtering of HTTPS while maintaining the chains of trust, and it's not currently supported by Zentyal at all. The most similar feature is to filter the services as I explained you in the previous message, but also creating objects with your machines and configuring the filters with them as source objects.

Regards,

hey,

Then there is no solution for now...

Regards,

[Joeg1484]

I think you can, using squid, deny certain ports. Its been a while since I have used squid, but I do recall being able to do it.

See this: http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes and look for Why does Squid deny some port numbers?

This will give you some examples on how to do it. You may have to modify the actual squid config files to get it to work, if so, you will also need to modify the files in /usr/share/ebox/stub.

I haven't done this yet myself with Zentyal, but I do know you can block https using squid cause I have done it in the past.

Alternately, you can block using regex with Squid. So, you could create a block list and include facebook.com and the regexp block will block it weather it was http or https:

Code: [Select]

URL Regexp (url_regexp)
Matches a regular expression pattern against the requested URL. Use the -i option to make the comparison case-insensitive.

acl aclname url_regexp [-i] regexp

Example

acl ftp_mp3 url_regexp ^ftp://.*\.mp3$

Hope this helps!
Joe

[asaidi]

Jaime,

Under "Filtering rules for internal networks," the https service is not listed.  I've tried HTTP, http and http software.  Non of them seem to be able to block anything.

Where am I missing it?

[Jaime Soriano]

Hi asaidi,

Under "Filtering rules for internal networks," the https service is not listed.  I've tried HTTP, http and http software.  Non of them seem to be able to block anything.

Where am I missing it?

Go to services and add a new service with your HTTPS port.

Regards,

[arun]

Hi,

We don't support https filtering with the proxy module, but you can block the IPs in the firewall, for that:
- Create an object for this service
- Use dig or any other tool to get the IPs providing the service
- Add these IPs to the object
- Add a firewall rule for internal networks to block the access to this object

You can also configure DNS to resolve the address to block to a different address, but this is easier to bypass using other DNSs.

Regards,

1. I have created an object "https ips", added gmail ips <74.125.236.21/22/23/24> ( which i got after ping mail.google.com)
2. Add the firewall rule to "Filtering rules for internal networks"
2.1 Decision - Deny, Source - Any, Destination - destination object - https ips, Service - any tcp,
2.2 the rule is at the top

Even after the above configuration, As a user, I can access https://mail.google.com

can anybody help how to restrict / filter secure (https) sites through Zentyal 2.0.16

Arun

[Sam Graf]

Evidently there are more addresses that resolve from mail.google.com than you have listed. I tried a quick test with a big gun of 74.125.0.0/16 and was blocked.

[arun]

As per your recommendation I have made the following changes ....
UTM -> Firewall -> Packet filter -> Filtering rules for internal networks

new rule
Decision:    DENY
Source:    ANY
Destination: Destination ip - 74.125.0.0/16
Service:    ANY

And gave this rule, priority at the top. Thus all the users should not be accessible to the mail.google.com
but unfortunately this also not worked and still users can peep out ...

Arun
   
   

[Chiyan]

Hi,

to block a domian / website whether it is http / https we can do it.

try this and post the result.

1. Dashboard -> HTTP Proxy -> Filter Profiles -> Edit default configuration file -> click Domains filtering  tab -> Domains and URL rules -> Add new -> Add (what ever domain/website you want) -> Policy : Filter -> Add -> save it.

Now you can check the zentyal firewall's restriction in your client system.

All the best.

[Sam Graf]

but unfortunately this also not worked and still users can peep out ...

Arun

That's very interesting. In my case, I had staff (people who actually had Gmail accounts) test it and in every case, the connection simply timed out eventually. In no case could anybody access https://mail.google.com.

The possibility remains, I suppose, that there are additional addresses. But if the firewall is failing to block requests to WAN addresses, something seems to be broken, not enabled or configured properly on the network side (traffic is bypassing Zentyal's firewall), etc.

Hi,

to block a domian / website whether it is http / https we can do it.

try this and post the result.

1. Dashboard -> HTTP Proxy -> Filter Profiles -> Edit default configuration file -> click Domains filtering  tab -> Domains and URL rules -> Add new -> Add (what ever domain/website you want) -> Policy : Filter -> Add -> save it.

Now you can check the zentyal firewall's restriction in your client system.

All the best.

The proxy ignores HTTPS traffic. Generally, attempting to block such traffic via the proxy has not worked.

[Escorpiom]

Sam is correct. Few people seem to understand that https traffic cannot go trough a proxy.
This is by design. Https needs a direct connection so the proxy in this case does not do anything, neither does Dansguardian.

I find it a bit shortsighted to say that there is no solution. Actually the solution is being offered: Use the firewall. If you are not using the Zentyal firewall, you might have another firewall product. Try blocking it with that one.

On my network employees have the eternal Facebook illness and I could effectively block them out using the packet filter and https service for selected network objects.
This way, some users can still access Facebook but the ones that should not can't access it.

Agreed, sometimes you need to try different methods but I find the firewall to be rather effective in blocking stuff.

Cheers.