OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: maekar on January 18, 2017, 03:25:55 pm

Title: Help me to block traffic from iPad apps
Post by: maekar on January 18, 2017, 03:25:55 pm

Hi,

How can I block the traffic for apps that can't be blocked by destination IP (because are unknown and too many) or port (they use standard ports)? For example, my clients are using the Betternet VPN app wich make the bypass of the OPNSense proxy extremly easily.

Thanks

Title: Re: Help me to block traffic from iPad apps
Post by: bartjsmit on January 18, 2017, 07:05:23 pm

Your best bet is Intrusion Detection with a bespoke rule. Documentation for Suricata rules is here: http://suricata.readthedocs.io/en/latest/rules/intro.html

Bart...

Title: Re: Help me to block traffic from iPad apps
Post by: maekar on January 26, 2017, 09:59:26 am

Quote from: bartjsmit on January 18, 2017, 07:05:23 pm

Your best bet is Intrusion Detection with a bespoke rule. Documentation for Suricata rules is here: http://suricata.readthedocs.io/en/latest/rules/intro.html

Bart...

Hi, thanks for the help. I've never used IDS and i'm quite  lost. How can I made the rule for blocking Betternet App, and, specifically, how can I do that on OPNSense?

Title: Re: Help me to block traffic from iPad apps
Post by: bartjsmit on January 26, 2017, 03:37:40 pm

OPNsense allows for user defined rules with a few parameters. E.g. you can filter on the SSL certificate of the VPN servers. For more in-depth rules you would need to ask on the Suricata forums. You can also set the Betternet servers/domains as host overrides in DNS.

Do realise that there is an awfully large number of VPN services out there, and blocking one will only cause users to use another. You may be better off agreeing that VPN is not allowed and keep an eye on your netflow stats for recurring connections that are maintained for a long time.

Bart...