Minorchord Blog

Learned a little mote about web content filters with regards to http vs. https calls.  Interestingly, most web filters can not clock https calls.   This means if site: “www.sitenamehere.com is ” is “blocked” , you can not see the site with a “http://” in the front.  However,  place a “https://” in front and (if the SSL is enables on the remote server)  the website will appear!  Evidently “https” communication is “secure” thus specifically not checked by common web filters!

To me this was a a bit of a surprise.

Found quite a few tools that would correct that condition, but for $500 + $120 per year,  I did not find this cost effective for small networks (home and maybe business).  My frugal side wanted to keep using “Untangle” as the price was right ($0), it has VPN, firewall, virus scanning, spyware blocking, spam blocking, phishing scanning, IDS, web filtering, and usage reports and it is already fully configured.

First,  I looked into an improved web filter from “eSoft” add-on from Untangle.  A good solution, but at $25/month, a bit much for home use. Note to eSoft, make this $10/month and I will buy it.

For the network, some devices need to access the https sites (banking, VPN, etc)  while other devices we are tyrying to prevent access (anonymous proxies, other)

The next step was to try Safe Squid – Excellent tool.  A bit of cost, but not too bad.  I may still change to this tool, but indeed configurations would be required.  Again, the Untangle tools in use is already configured and has been functioning for years.

So I started trying to see other options that may be possible within the use of Untangle (or any UTM) tool without additional cost.  The goal is for some computers to access to https (port 443)… and others to not have access. Just blocking SSL “protocols” worked, but impacted network access from all devices.

I then tried “port forwarding” all port 443 requests to a dead IP address.  Worked to block access… but due to untangle’s configuration, this blocked all devices.

The final solution: Untangle > Configuration > Network > Advanced > Packet filter.  From here I set up a packet filter that specifically denies port 443 (https) access from given IP addresses.  This did work, but someone with a bit more experience, may just assign a different address to the specific device, thus by-passing the block.  :(

Instead,  again, using the packet filter… I blocked ALL packets from port 443, then allowed only the MAC and related IP addresses of the allowed devices.  This was much better as it only allowed specific devices access to port 443 packets.  Thus making much more difficult for anyone to copy these parameters from an allowed device to a non-allowed device.

Still not yet 100% bullet proof…  but indeed, it is free.  Also,  probably not good if you are trying to manage 500 devices… but OK if you are working with 25 or less.

Problem solved…. for now.