Skip to main content
nbctcp
nbctcp
New Member
June 24, 2015
Solved

Blocking Open Proxy

  • June 24, 2015
  • 4 replies
  • 27086 views

I try to block open proxy by blocking Proxy Category in Application Control.

So far didn't success.

If someone had success blocking that, please share

 

Test: -search open proxy that using port 80 from [link]http://proxylist.hidemyass.com/[/link] -set Chrome using open proxy for example 107.167.21.243 port 80 -test whether can access www.playboy.com

 

FYI, PaloAlto can block open proxy and SoftEther, but can't block Opera Turbo or Psiphon3

 

REQUEST:

When FortiGate will have Opera Turbo Application Control

 

thanks

[link]https://nbctcp.wordpress.com[/link]

 

 

    Best answer by magnumpi

    Hi,

    on my fortigate the block works fine.

     

    look atteched file

    4 replies

    TuncayBAS
    TuncayBAS
    Explorer
    July 2, 2015

     

    please use this IPS signature and share results.

     

    F-SBID(--name "Opera.Turbo.IPS"; --default_action drop_session; --service HTTP; --protocol tcp;--flow from_client;--pattern "X-Opera-Host:"; --no_case; --context header;)

    buntha
    buntha
    New Member
    July 2, 2015
    You can try the following custom application control signatures. 

    UDP Connections:

    F-SBID( --protocol udp; --flow from_client; --src_port 10000:; --dst_port 1024:; --seq 1,relative; --pattern !"|00 00|"; --within 16,packet; --data_size >16; --data_size <40; --tag set,softEther.UDP.tag; --app_cat 6; )
    # please set this signature to 'Monitor'

    F-SBID( --protocol udp; --flow from_server; --src_port 1024:; --seq 1,relative; --pattern !"|00 00|"; --within 16,packet; --data_size >90; --data_size <350; --tag test,softEther.UDP.tag; --app_cat 6; )
    # please set this signature to 'Reset'

    TCP Connections (Please set the following custom signatures to block or reset):

    F-SBID( --protocol tcp; --service SSL; --flow from_server; --pattern ".opengw.net"; --context host; --no_case; --app_cat 6; )

    F-SBID( --protocol tcp; --seq =,1,relative; --service SSL; --flow from_client; --pattern "|16 03 01|"; --within 3,packet; --pattern "|01|"; --context packet; --distance 5,context; --within 1,context; --pattern "|00 00 6E|"; --context packet; --distance 37; --within 3; --pattern "|01 00|"; --context packet; --distance 110; --within 2; --pattern "|00 0f 00 01 01|"; --context packet; --distance 5,context,reverse; --within 5,context; --pcre "/[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}/"; --context host; --app_cat 6; )

    F-SBID( --protocol tcp; --seq =,1,relative; --service SSL; --flow from_client; --pattern "|16 03 01|"; --within 3,packet; --pattern "|01|"; --context packet; --distance 5,context; --within 1,context; --pattern "|00 2a 00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 07 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff|"; --context packet; --distance 0; --pattern "|00 00|"; --context packet; --distance 0; --pattern "|00 00|"; --context packet; --distance 4; --pcre "/[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}/"; --context packet; --distance 15,context,reverse; --app_cat 6; ) 

    There is a bug with UDP signatures having detection loss in certain unique cases like VPNGate. It is currently being analyzed and fixed by the engine team. We will update you when a patch is available. An alternative would be to try the custom signatures for UDP connections. There could be some false positive risks though.

     Second Please create 2 IPS signature for UDP connection Below:

    F-SBID( --protocol udp; --flow from_client; --default_action pass; --src_port 10000:; --dst_port 1024:; --seq 1,relative; --pattern !"|00 00|"; --within 16,packet; --data_size >16; --data_size <40; --tag set,softEther.UDP.IPS.tag; ) 

    F-SBID( --protocol udp; --flow from_server; --default_action drop_session; --src_port 1024:; --seq 1,relative; --pattern !"|00 00|"; --within 16,packet; --data_size >90; --data_size <350; --tag test,softEther.UDP.IPS.tag; ) 

    Please following my step it's working well at my place.
    Please see attach image: for IPS signature
    Best Regard,
    Yin Buntha
    nbctcp
    nbctcpAuthor
    New Member
    July 2, 2015

    @yaba

    With Opera Turbo ON, I can still access Internet.

    What I want is, without Opera Turbo user can access Internet but can't if Opera Turbo on

     

    STEPS TAKEN:

    -create IPS signature OperaTurbo with ACTION BLOCK

    -create policy with ACTION ACCEPT and IPS filter ON OperaTurbo

     

    @Yin Buntha Your SoftEther solution is already working in another thread.

    But in this thread I am asking how to block Opera Turbo and Open Proxy.

    Or do you mean I can use SoftEther policy to block Opera Turbo?

    If that the case, I can still bypass blocking using Opera Turbo

    magnumpi
    magnumpiAnswer
    New Member
    September 4, 2015

    Hi,

    on my fortigate the block works fine.

     

    look atteched file

    nbctcp
    nbctcpAuthor
    New Member
    April 6, 2016

    @magnumpi

    Can you please share your policy for Opera Turbo and Open Proxy

    Which one you successfully blocked

    nbctcp
    nbctcpAuthor
    New Member
    April 28, 2016

    In Mikrotik I am using this filter

    Mikrotik: /ip firewall address-list add address=12.12.12.0/24 list=LAN /ip firewall layer7-protocol add name=opera regexp="^.+(opera-mini.net).*\$" /ip firewall filter add action=drop chain=forward layer7-protocol=opera src-address-list=LAN Basically it will block anything going to opera-mini.net   How to achieve that in Fortigate

    FYI I am using Fortigate 5.4 Unlicensed in Unetlab

     

    tq  

    Terms & ConditionsAccessibility statement