Block SSL Yes/No


(Lewis) #1

Hi
Is it normal to have the protocol SSL use lots data, in the last 7 hours it has downloaded 1.8Gb? Can I block SSL who would that be a bad idea?


(JamesMillar) #2

Blocking SSL would prevent connections to secure websites, those that begin with https. You don’t want to do that.

You need to understand who is connecting to what to download that amount of data.


(Lewis) #3

That has been my fight for the pass 2 months, to figure where is that usage of SSL coming from. I think most traffic is coming from https://www.facebook.com, I can only think that is my problem.


(JamesMillar) #4

you can install iftop and monitor real time traffic using CLI. You can also look at nTop, you may have it already installed as it comes in one of the packages for NS.


(Lewis) #5

That is how I am coming with the consultation that it is facebook that is the problem. I think the only way to find out is if I stop facebook for a day and see the results. On NS is there a way of giving times for the facebook uses?


(JamesMillar) #6

I don’t use NS as a firewall myself. Blocking a domain name can be tricky because firewalls use IP addresses. If you perform a nslookup of facebook.com you will see quite a number of IP addresses. You would need to create a new host group and then add new hosts with each IP address. Once the hosts are added you then need to add them to your new host group. After completing that, you’ll need to configure your firewall rules.

A quick and dirty way to block facebook, temporarily at least; is to add the following line to your /etc/hosts file.
127.0.0.1 www.facebook.com facebook.com

That one line would attempt any connections to facebook to try to connect to your local loopback on NS. Effectively preventing users connecting to facebook. After your analysis is complete, you can remove it. You don’t need to restart any services after adding and removing that line but you do need to be root.


(Lewis) #7

Will give that a go…


#8

Hi,

In the web content filtering you can block social media.

Did you use the proxy?
In the proxy log you can see “who” access “what”… By “who” it’s mean the ip adress.


(Lewis) #9

Hi Jim when you ask if I used the proxy? what do you mean? Which option I picked as transparent or not? When you talk about the log are you talking about LightSquid?


#10

Personally, I have configured the proxy as transparent proxy.
The Web Content filter is used to block ads, adult content and used the list free/toulouse ( don’t remenber exactly the name).

In the log viewer, in the access_log I was able to see all ip access.

Edit: It could be a network station doing an update… or an Ios device dowloading the last IOS.

Edit: access_log


(Lewis) #11

Thanks, will let all this run for 12hrs, blocking facebook using JamesMiller method in the /etc/hosts and keep an eye on the /var/log/squid/access.log hope this will sort my problem out… You guys will get an update tomorrow round this time.


(Alessio Fattorini) #12

I suggest you to use directly the WebUI DNS -> Host


(Jose G Jimenez S ) #13

I use proxy manually, and I have no problems


(Lewis) #14

jgj… I still need to master NS a liitle more before playing with proxy manually but, very soon.


(Lewis) #15

Hi… I added that line to the host via DNS-> but I still have accesses to facebook…


(JamesMillar) #16

That only means that the order of host lookup isn’t using your /etc/hosts file first. I recommend removing that line and use Jim’s recommendation for blocking social media using the proxy.


#17

Go to the web content filter.
In the Filters tab, edit the default filter.

You will see lot of stuff here, to block ads, social networks, and so on…


(Lewis) #18

Tried loading UrlBlacklist.com (commercial) in content filter now stuck there at 50% is that file that big?


(Lewis) #19

Jim… When I go to edit the default filter I can not click on Categories drop down…


#20

Choose the mode allow all, block selected