This topic contains 9 replies, has 0 voices, and was last updated by 
-
Posts
-
First of all: hello to everybody. The zeroshell is the best firewall that I’ve tested until now and it works!
But I have a problem. I want to block programs that connects to proxies by port 443 (ssl); for example ultrasurf. I haven’t found anything to block this, so I’ve tried another thing.
I use the l7 protocol in firewall:
– Accepting only valid ssl certificates (validatessl rule).
– Blocking all the other 443 connections.The problem is that no connection goes by first rule (validatessl).
What’s wrong?Thank you very much!
Truth is I had some problems with L7 matches in firewall and ever since I don’t trust them that much. However make sure you have the latest release of the signatures.
I have the one included in beta12.
Is it the last?
I’ve visited the official webpage and it says that he discontinues the l7.I think there was one more edition since the release of ZSbeta12.
2009-05-28 is the latest version, under the definitions directory…
http://sourceforge.net/projects/l7-filter/files/
The one included in beta12 is out of date. Version 2008-12-18 is what comes with beta12.
I’ve upgraded to the last version, but all continues equal.
I don’t think that what you are trying to do with L7 filters is possible:
As near as I can tell by looking at a couple of the L7 filters is they attempt to detect the type of session by looking for bit/byte patterns at offsets in the packets.
SSH is an encrypted protocol so all the bit/byte patterns will appear to be random. Because of that the L7 filters will have nothing to match.
And your idea of checking for valid SSL certificates won’t work either as your are basically trying a “man in the middle” attack which SSH should be resistant to.
I think the best you can do is detect SSH to particular IP addresses that you know to be bad and then block those. That would be a set of simple IP and port rules, one per bad destination.
You can ban TOR nodes IP with the provided script:
http://www.torproject.org/faq-abuse.html.en#BansYes, you are true.
But the problem is that ultrasurf uses a very laaarge and change every day the list of ip’s (that none knows).
The only thing that now I can do is blocking all the 443 connexions except the ones that I accept (gmail, hotmail,…). It would be better a good blocking program to do it.
Any other idea?Thank you!
@atheling wrote:
I don’t think that what you are trying to do with L7 filters is possible:
As near as I can tell by looking at a couple of the L7 filters is they attempt to detect the type of session by looking for bit/byte patterns at offsets in the packets.
SSH is an encrypted protocol so all the bit/byte patterns will appear to be random. Because of that the L7 filters will have nothing to match.
And your idea of checking for valid SSL certificates won’t work either as your are basically trying a “man in the middle” attack which SSH should be resistant to.
I think the best you can do is detect SSH to particular IP addresses that you know to be bad and then block those. That would be a set of simple IP and port rules, one per bad destination.
What are you trying to block? in my environment i am blocking students from porn and other nasty sites, so dansguardian add-on was my answer, i tried to block all sites then allow certain ones thru the http proxy URL Management, but as you noticed it gets unwieldy quite quickly.
hope this is useful to you.Yes, but there are programs to bypass this. And I want to block these programs. They work as a proxy.
@jc wrote:
What are you trying to block? in my environment i am blocking students from porn and other nasty sites, so dansguardian add-on was my answer, i tried to block all sites then allow certain ones thru the http proxy URL Management, but as you noticed it gets unwieldy quite quickly.
hope this is useful to you.
You must be logged in to reply to this topic.