block youtube app and facebook app on mobiles phones
-
hi everybody,,,
i have pfsense firewall on my LAN, and an AP connected behind it meaning that all phones are behind my pfsense box, i want to block access to facebook and youtube, the problem is that mobile use apps not web, so how can i block them, is there any port number that should be closed ???/
-
I suspect that those apps are connecting over the web anyway, otherwise they would be blocked too many places. I would start by closing ALL ports that you don't need. Open only what you do. But that is for general security and will not block these apps.
Second, block Facebook and YouTube completely from PFSense. The apps have to connect to those sites to get their content, so blocking the site blocks the app.
-
actually facebook and youtube website are already blocked by squid proxy, this applied only to computer because the are configured to use proxy setting in their browsers, for the phones they are not connected to the proxy because they use app instead of browsers, so i set specific rule for mobile phones that allow all traffic
-
@IT-ADMIN how i can change this phone rule to block facebook and youtube app, knowing that i cannot force mobile traffic to pass through squid proxy because app not using proxy setting
-
@IT-ADMIN said:
actually facebook and youtube website are already blocked by squid proxy, this applied only to computer because the are configured to use proxy setting in their browsers, for the phones they are not connected to the proxy because they use app instead of browsers, so i set specific rule for mobile phones that allow all traffic
So "not really blocked" is the issue here. You are not using the proxy as a security measure but as a matter of convenience. To use a proxy for security it must be the only path between the LAN and the Internet. You are using the proxy as an optional path and anything without the proxy settings is bypassing it.
Put your proxy inline and everything will be solved immediately. Or simple block any other path. HTTP traffic should only be allowed to and from the proxy.
-
@IT-ADMIN said:
@IT-ADMIN how i can change this phone rule to block facebook and youtube app, knowing that i cannot force mobile traffic to pass through squid proxy because app not using proxy setting
No need for proxy settings if setup as inline and transparent. The standard use of a proxy does not require proxy settings on the end users devices.
-
@scottalanmiller said:
@IT-ADMIN said:
@IT-ADMIN how i can change this phone rule to block facebook and youtube app, knowing that i cannot force mobile traffic to pass through squid proxy because app not using proxy setting
No need for proxy settings if setup as inline and transparent. The standard use of a proxy does not require proxy settings on the end users devices.
thank you Dear Scott, but if i set my proxy as transparent it will allow only 80 port traffic and deny everything else, which cause https 443 port to be blocked, then mobiles cannot connect to gmail nor skype , nothing except web surfing (port 80)
-
@IT-ADMIN said:
thank you Dear Scott, but if i set my proxy as transparent it will allow only 80 port traffic and deny everything else, which cause https 443 port to be blocked, then mobiles cannot connect to gmail nor skype , nothing except web surfing (port 80)
Why is everything except for port 80 blocked?
-
-
That doesn't imply what you stated, though.
-
@IT-ADMIN because if you don't inform your browser which proxy to use, https will consider the proxy as a man in the middle, and will drop the connection
-
all 443 traffic will not be established because the app itself is unaware about which proxy to use
-
i set proxy setting for mobile, and i remark that facebook is blocked but youtube is not blocked, it seems that youtube app not using youtube.com to connect to the server,
-
@IT-ADMIN said:
@IT-ADMIN because if you don't inform your browser which proxy to use, https will consider the proxy as a man in the middle, and will drop the connection
No, you are thinking of the way that you are using a proxy "non-transparent." A transparent proxy you don't tell the browser about. That's what transparent means - that the proxy happens without anything needing to know about it.
-
@IT-ADMIN said:
all 443 traffic will not be established because the app itself is unaware about which proxy to use
It's transparent so everything goes through the proxy.
-
@IT-ADMIN said:
i set proxy setting for mobile, and i remark that facebook is blocked but youtube is not blocked, it seems that youtube app not using youtube.com to connect to the server,
You'll need to block all YouTube sites, which are many. Blocking by domain name is not very effective. There is always a way around that by IP address.
-
if i set a transparent proxy and block some URLs, users cannot access http://facebook.com, but if they just add s after http, they can access easily, i tried it !! i'm sure
-
@scottalanmiller said:
@IT-ADMIN said:
i set proxy setting for mobile, and i remark that facebook is blocked but youtube is not blocked, it seems that youtube app not using youtube.com to connect to the server,
You'll need to block all YouTube sites, which are many. Blocking by domain name is not very effective. There is always a way around that by IP address.
also blocking by IPs is not efficient, because IPs of servers keep changing, and it is difficult to know all IP range used by a specific server
-
in the begining i though that app can be blocked by closing some ports numbers, but it seem that almost all of the apps use either 80 or 443, and if close one of these port it is like i closed everything !!!
-
@IT-ADMIN said:
if i set a transparent proxy and block some URLs, users cannot access http://facebook.com, but if they just add s after http, they can access easily, i tried it !! i'm sure
Are you just clicking a box called "transparent proxy" or are you actually changing your network correctly to accommodate the change in architecture?
