Block websites (protocol/messaging)

Valeriy · October 28, 2024, 7:59am

Hello. I used NS 7 before, now I installed NS 8 and I can’t figure out how to block websites? I need to block telegram.org. How do I do this?
In the settings I found DPI filter - there I found Telegram (protocol/messaging) and enabled this option. But telegram continues to work and messages are sent and received.
Tell me what I need to configure to block?

Andy_Wismer · October 28, 2024, 10:13am

Hi @Valeriy

NS8 is no more a firewall for a network, so it’s not the right host to enable blocking.
It does contain a firewall, but only tp protect itself, in case of cloud hosting.

You need to use another host as firewall and run eg. NethSecurity 8 or OPNsense there as firewall. There you should be able to block sites, etc.

My 2 cents
Andy

Valeriy · October 28, 2024, 12:03pm

I am using NethSecurity 8 23.05.5-ns.1.3.0. And I can’t figure out how I can block a site?

filippo_carletti · October 28, 2024, 3:29pm

You got it right: DPI should block connections that are recognized as using the Telegram protocol.

At the moment, there’s no easy way to see the DPI protocol of connections, but you can see what’s blocked with the following command:

conntrack -L -o labels | grep labels=block

Could you try to enable other protocols, just to verify that they are blocked? It could mean that Telegram avoids detection (and we should improve its definition).

Valeriy · October 29, 2024, 12:14pm

At the moment I am using NethSecurity 8 for testing.
In NS 7 it was all very simple Web proxy & Filter - Filter - Enable Global Blacklist. I added telegram.org and it no longer works in my network. How can I do this in NethSecurity 8?

filippo_carletti · October 29, 2024, 1:56pm

Add a DNS record: telegram.org IP 0.0.0.0

Valeriy · October 30, 2024, 6:27am

Where exactly should I add this entry? How can I make an exception for 1 computer so that it can access the blocked site?

filippo_carletti · October 30, 2024, 8:19am

Create a Domain set object and use it for firewall rules.
I understand that you’re used to the old version, but I think that the newer is more straightforward.

Valeriy · October 30, 2024, 8:29am

I read the documentation about migration from NS7 to NS8, it says that Web proxy (Squid) and filter (ufdbGuard) will be no more in NS8. This means that there is no longer a possibility to block sites by categories or create a global blacklist and whitelist separately. Is that correct?

filippo_carletti · October 30, 2024, 8:54am

It is not correct.
UT1 Capitole free lists are still available in NS8, but as of today, they must be configured by the command line.
The graphical user interface configures the Flashstart categories, which are not free.
Things may change in the future: we may develop (or accept contributions) an UI for the free lists (low priority).

Valeriy · October 30, 2024, 9:40am

Thanks for your help. NS 7 is still the best solution for me.

dnutan · October 30, 2024, 8:07pm

correct, not on NS8 but on NethSecurity (IIRC)

mrit · November 4, 2024, 8:59am

Howdy folks,

I am also trying to block social media using the DPI feature in NS8 but my upstream firewall shows that TikTok, Snapchat, Instagram & Co are still working (at least for some users)…

conntrack -L -d 35.190.43.134 gives me:

tcp      6 7132 ESTABLISHED src=10.xxx.xxx.xxx dst=35.190.43.134 sport=57693 dport=443 packets=11 bytes=1129 src=35.190.43.134 dst=10.1.0.2 sport=443 dport=57693 packets=6 bytes=4462 [ASSURED] mark=16128 use=1
tcp      6 38 ESTABLISHED src=10.xxx.xxx.xxx dst=35.190.43.134 sport=57687 dport=443 packets=3 bytes=685 src=35.190.43.134 dst=10.1.0.2 sport=443 dport=57687 packets=14 bytes=15476 [ASSURED] mark=16128 use=1

Which suggests that the DPI filter is ineffective. Funny however that ntopng on the upstream firewall classifies flows to this IP address as TLS.Snapchat. Of course, Snapchat is enabled in NS8:

Currently I am using a trial version of NS8 to examine the effectiveness of the DPI filter functionality

Regards
Marcel

Tbaile · November 5, 2024, 3:01pm

Hi Marcel and welcome!

Due to this

I’m guessing that traffic is not correctly routed properly due to conntrack keeping connections active as we’ve experienced a few posts away.

My suggestion is to wipe the conntrack table through the UI when doing such changes. We’re not willing to do such thing automatically due to potentially in progress connections that must be kept active (I.E. a telephone call).

Please try and come back if some other issue arise

mrit · November 5, 2024, 3:51pm

and welcome!

Thank you

I’m guessing that traffic is not correctly routed properly due to conntrack keeping connections

But I would also expect established connections to be closed if an non-allowed service is detected. Of course, this is not suitable on a VoIP network, but I wouldn’t enable DPI on those networks.

My suggestion is to wipe the conntrack table through the UI when doing such changes

Which changes do you mean? I turned on Snapchat & Co at least three weeks ago (maybe four?!) and since then we had fall break which means the network was completely empty meaning all connections were closed in the meantime (which - I guess - is the equivalent to wipe the conntrack table?).

LayLow · November 5, 2024, 4:21pm

Probably way off track, but could Pi-hole play a role in blocking?

filippo_carletti · November 5, 2024, 5:28pm

When listing connections, please add -o labels.
See Block websites (protocol/messaging) - #5 by filippo_carletti

mrit · November 7, 2024, 10:46am

Unfortunately not - problem is that

(a) iCloud subscribers automatically uses the Private Relay feature which is at least a DoH implementation (probably more?!). However, “blocking” PR using DNS (as Apple suggests in their documentation) does not work for what ever reason

(b) Social apps like Snapchat and TikTok seem to use their very own DoH service (probably with hardcoded IP addresses as a fallback)

Both ways DNS requests cannot be blocked by Pi-Hole