Forums

Resolved
0 votes
Hi all ;

How i can block ultrasurf ?

I'm manuel firewall rule add incoming and outgoing connection and blocking 443. port. Ultrasurf blocked but hotmail not open.

any idea ?
Saturday, September 04 2010, 11:57 PM
Share this post:
Responses (18)
  • Accepted Answer

    Renan Mara
    Renan Mara
    Offline
    Wednesday, September 28 2011, 03:07 AM - #Permalink
    Resolved
    0 votes
    Does anyone here experienced to block ultrasurf using:

    iptables -I FORWARD -p tcp --dport 443 --tcp-flags SYN,ACK,FIN,RST,PSH ACK,PSH -m string --to 77 --hex-string '|16030100410100003d0301|' --algo bm -j DROP

    iptables -I FORWARD -p tcp --dport 443 --tcp-flags SYN,ACK,FIN,RST,PSH ACK,PSH -m string --to 512 --hex-string '|00040005000a00090064006200030006001300120063|' --algo bm -j DROP

    After successful blocking, firefox cannot browse in mail.yahoo.com and yahoo.com? Chrome and IE has no problem in browsing. I used proxy (authentication) and configured my firefox correctly.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 27 2011, 01:22 PM - #Permalink
    Resolved
    0 votes
    Hi all, I have the same problem with ultrasurf on my network. Can the snort that is on clearos be used for this? I'm not sure if it should be the IPS or IDS part as I do not have that much of experience with snort, I noticed the emerging threats' emerging-policy.rules has rules to detect ultrasurf and freegate dns queries.
    The reply is currently minimized Show
  • Accepted Answer

    yoetama
    yoetama
    Offline
    Wednesday, July 27 2011, 04:12 AM - #Permalink
    Resolved
    0 votes
    :( , until now, I have not found a suitable answer to limit UltraSurf,
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, July 03 2011, 08:28 PM - #Permalink
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, May 18 2011, 02:12 PM - #Permalink
    Resolved
    0 votes
    Hi Tim,

    Yes, my clearOs is set like a gateway. I cann see, many users that are surfing on sites that are set like banned sites!!
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, May 15 2011, 10:56 PM - #Permalink
    Resolved
    0 votes
    Marco, when you have turned transparent mode off, with the web proxy enabled all outgoing https and http traffic will be redirected through ClearOS

    This is enough for me here to block Ultrasurf... what is your network config? is ClearOS your gateway device?

    To see what your actual firewall config is, have a look at the output of the following commands
    iptables -t nat -L -n -v
    iptables -L -n -v
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, May 03 2011, 05:48 PM - #Permalink
    Resolved
    0 votes
    Tim, I have a question, where can I see the configurated files of inconming ports?, because I've the all block, espcify the destination ports like policy on outgoing menu, however the users are still using ultrasurf.

    My proxy mode isn't transparent mode.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 25 2011, 09:58 PM - #Permalink
    Resolved
    0 votes
    up,

    any idea ?
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, March 16 2011, 07:53 PM - #Permalink
    Resolved
    0 votes
    Arya Natanael Toshioki wrote:
    try to block ultrasurf with iptables drop from packets sent by UltraSurf ^^

    iptables -I FORWARD -p tcp --dport 443 --tcp-flags SYN,ACK,FIN,RST,PSH ACK,PSH -m string --to 77 --hex-string '|16030100410100003d0301|' --algo bm -j DROP

    iptables -I FORWARD -p tcp --dport 443 --tcp-flags SYN,ACK,FIN,RST,PSH ACK,PSH -m string --to 512 --hex-string '|00040005000a00090064006200030006001300120063|' --algo bm -j DROP

    This code is only for UltraSurf, there are some proxy bypass software like FreeGate, yourfreedom etc., I think you have to find a packet sent by that bypass program too



    Not working this ... :S
    The reply is currently minimized Show
  • Accepted Answer

    Gilberto
    Gilberto
    Offline
    Saturday, October 16 2010, 05:21 PM - #Permalink
    Resolved
    0 votes
    hi friend, this rule is woks? what is -algo in the rule? have a nice day.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, September 27 2010, 05:05 PM - #Permalink
    Resolved
    0 votes
    try to block ultrasurf with iptables drop from packets sent by UltraSurf ^^

    iptables -I FORWARD -p tcp --dport 443 --tcp-flags SYN,ACK,FIN,RST,PSH ACK,PSH -m string --to 77 --hex-string '|16030100410100003d0301|' --algo bm -j DROP

    iptables -I FORWARD -p tcp --dport 443 --tcp-flags SYN,ACK,FIN,RST,PSH ACK,PSH -m string --to 512 --hex-string '|00040005000a00090064006200030006001300120063|' --algo bm -j DROP

    This code is only for UltraSurf, there are some proxy bypass software like FreeGate, yourfreedom etc., I think you have to find a packet sent by that bypass program too
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, September 09 2010, 08:07 AM - #Permalink
    Resolved
    0 votes
    Hi Andreas, no quite the opposite - when transparent mode is disabled the ClearOS firewall is catching outgoing traffic and redirecting through the proxy, this prevents the Ultrasurf program making outbound connections to it's own proxy.

    I'm not sure what your problem is - you appear to think that your problems imply that it doesn't work for everyone else, either way the forums are for constructive feedback - not just "use something else because it doesn't work for me"

    ClearOS like nearly all linux distros is based on iptables, which is a very solid firewall system. I should add that it is not possible to cater for every individual firewall configuration - the webconfig does a good job for all standard setups, however more complicated network environments can require some additional iptables configuration.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, September 08 2010, 11:01 PM - #Permalink
    Resolved
    0 votes
    Ok i've looked into this little proxying app and learnt a little about it's behaviour

    It circumvents the proxy in transparent mode. It listens on the client at port 9666, and when started sets IE to use the local proxy instead of the system, and tries to connect to many IP's on port 443 (HTTPS). The clever bit is that traffic from the client to the proxy is from a random local source port (not port 9666) - this means you can't simply block port 9666 traffic

    I managed to block it reliably simply by turning transparent mode off. This prevents any other web traffic leaving except if passed through the ClearOS proxy. However in this situation you have to then manually configure each PC to use the ClearOS proxy (port 8080) or use the proxy auto detect function.

    When transparent mode is off the outgoing http requests are blocked by the internal routing within the ClearsOS firewall :)
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, September 07 2010, 12:21 AM - #Permalink
    Resolved
    0 votes
    proxy check box enable

    can you try ultrasurf on your system ?
    The reply is currently minimized Show
  • Accepted Answer

    Joe Mott
    Joe Mott
    Offline
    Tuesday, September 07 2010, 12:00 AM - #Permalink
    Resolved
    0 votes
    If you have already enabled Content Filter:

    Go to Gateway, Content Filter, Blacklists - check the box for proxy.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, September 06 2010, 09:17 PM - #Permalink
    Resolved
    0 votes
    yes web proxy transparent mode with content filter.

    I'am already blocked ultrasurf links but it does not work ...

    When running ultrasurf, all blocked contents and sites opening.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, September 06 2010, 07:47 PM - #Permalink
    Resolved
    0 votes
    Hi, have you tried using the web proxy in transparent mode with the content filter? it's designed to filter out web sites that you don't want to allow access too.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, September 06 2010, 06:35 PM - #Permalink
    Resolved
    0 votes
    up ?
    The reply is currently minimized Show
Your Reply