Community discussions

 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Topic Author
Posts: 178
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Block public proxy servers - HOW

Fri May 17, 2019 9:34 pm

Hi guys,
I have not found a way to effectively block traffic to public proxies so as not to bypass the rules in the firewall !
If anyone has such a solution, please share their experience !

P.S. I want to ask, if i can add a firewall rule in filter section on forward chain with conten=https and one with http , can i block the redirected traffic to proxies only ?
 
Sob
Forum Guru
Forum Guru
Posts: 4178
Joined: Mon Apr 20, 2009 9:11 pm

Re: Block public proxy servers - HOW  [SOLVED]

Sat May 18, 2019 4:12 pm

I don't think you can. You can block some with L7 like this:
/ip firewall layer7-protocol
add name=proxy regexp="^(CONNECT\\ .*|GET\\ https\?:\\/\\/.*)\\ HTTP\\/1\\."
But it's far from perfect.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Topic Author
Posts: 178
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Block public proxy servers - HOW

Sat May 18, 2019 4:32 pm

I don't think you can. You can block some with L7 like this:
/ip firewall layer7-protocol
add name=proxy regexp="^(CONNECT\\ .*|GET\\ https\?:\\/\\/.*)\\ HTTP\\/1\\."
But it's far from perfect.
Тhank you very much Sob !
I will try it ... I hope I will not block with it another traffic? :D
 
mkx
Forum Guru
Forum Guru
Posts: 2430
Joined: Thu Mar 03, 2016 10:23 pm

Re: Block public proxy servers - HOW

Sat May 18, 2019 5:04 pm

I don't think you can. ....
But it's far from perfect.
Indeed it is far from perfect. Probably it'll successfully block proxy requests, but will most probably block usual http requests as well (it probably won't interfere with direct https connections though). It's quite usual to see full
GET http://www.somedomain.com/path/to/document.html HTTP/1.x
on direct connections to source server as well ... it's the only way for server to distinguish between all those named virtual http servers sharing the same public IP address. (x in HTTP protocol nowadays is zsually 1 but with older web browsers it can be 0 as well).
BR,
Metod
 
Sob
Forum Guru
Forum Guru
Posts: 4178
Joined: Mon Apr 20, 2009 9:11 pm

Re: Block public proxy servers - HOW

Sat May 18, 2019 5:36 pm

I've never seen "GET http://..." in regular requests. The way to distinguish between virtual hosts is Host header. And quick test with nginx (as regular webserver, not proxy) shows that "GET http://www.domain.tld/ HTTP/1.0" without Host header returns default virtual host (i.e. ignores hostname from request) and the same with HTTP/1.1 (still without Host header) returns "400 Bad Request".
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Topic Author
Posts: 178
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Block public proxy servers - HOW

Sat May 18, 2019 7:24 pm

For now, this stops traffic to proxies that do not use https / SSL /. Unfortunately, most of the public are over https ! Тhe only solution for now is that I have to collect their ip addresses in lists .
 
Sob
Forum Guru
Forum Guru
Posts: 4178
Joined: Mon Apr 20, 2009 9:11 pm

Re: Block public proxy servers - HOW

Sat May 18, 2019 7:52 pm

I don't follow what happens in public proxy world, but what I got from Google was all without https, just http. But if you have different sources with https, then it's bad for you, because you can't see what's inside https connection, it's the whole point of https. And collecting address, good luck. Maybe if there already is some source of proxy addresses, you could use that. But doing it yourself will be never ending story.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Topic Author
Posts: 178
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Block public proxy servers - HOW

Sat May 18, 2019 8:24 pm

I don't follow what happens in public proxy world, but what I got from Google was all without https, just http. But if you have different sources with https, then it's bad for you, because you can't see what's inside https connection, it's the whole point of https. And collecting address, good luck. Maybe if there already is some source of proxy addresses, you could use that. But doing it yourself will be never ending story.
Yes, i know - about https web proxies i mean !I will look for more information in the internet. For now, I will collect the names and addresses of most well-known ones!
Thanks again for your help Sob !
 
Sob
Forum Guru
Forum Guru
Posts: 4178
Joined: Mon Apr 20, 2009 9:11 pm

Re: Block public proxy servers - HOW

Sat May 18, 2019 10:24 pm

It really depends on what exactly you need it for and how persistent users you have. Maybe if you block the most obvious servers, they will give up. The major thing against you is that all they need is just one working server.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Topic Author
Posts: 178
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Block public proxy servers - HOW

Sat May 18, 2019 11:09 pm

It really depends on what exactly you need it for and how persistent users you have. Maybe if you block the most obvious servers, they will give up. The major thing against you is that all they need is just one working server.
Behind a ccr I have a very sensitive network with about 150 clients.
There are several different servers on this network, with important information.
All this is done to prevent any type of virus, worm ... etc. in the network .
I already use the Joshaven Potter script to update the Spamhaus, dshield, and malc0de lists.
I also have a lot of rules based on ports in the forward chain. I use AdGuard DNS and redirect all queries to my router.
By blocking proxies, I will try to reduce the risk of any attempts to circumvent the rules!
Last edited by JohnTRIVOLTA on Sat May 18, 2019 11:23 pm, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 4178
Joined: Mon Apr 20, 2009 9:11 pm

Re: Block public proxy servers - HOW

Sat May 18, 2019 11:18 pm

Blocking access to proxies doesn't sound like something that would help much. Unless you have some very strict filtering of all outgoing traffic, any worm will just use either custom ports, or if you block those, then regular https. And you pretty much have to allow that, if those 150 clients should be able to use internet in the most basic sense, which today means access to http(s).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Topic Author
Posts: 178
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Block public proxy servers - HOW

Sat May 18, 2019 11:26 pm

Blocking access to proxies doesn't sound like something that would help much. Unless you have some very strict filtering of all outgoing traffic, any worm will just use either custom ports, or if you block those, then regular https. And you pretty much have to allow that, if those 150 clients should be able to use internet in the most basic sense, which today means access to http(s).
I added the last post with the missed info !
 
Sob
Forum Guru
Forum Guru
Posts: 4178
Joined: Mon Apr 20, 2009 9:11 pm

Re: Block public proxy servers - HOW

Sun May 19, 2019 12:11 am

I guess you already have that, but if not, I'd start with segmenting the network, make sensitive servers isolated from users as much as possible. Other than that, it's mostly non-technical, you need "long whip", "iron fist", or whatever is the fitting English idiom, users must know what they can and can not do, and don't dare to break the rules. :)
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 42 guests