Page 1 of 2 12 LastLast
Results 1 to 10 of 19
  1. #1
    Untangler
    Join Date
    Oct 2014
    Posts
    35

    Question Instant Messaging App IMO not blocked by Firewall Rules for no internet.

    So after extensive testing I came to the conclusion that IMO (on Android mobile) keeps working even where the internet access is totally blocked.

    My Topology
    ========

    ISP Home Fibre Gateway ==> Untangle Transparent Bridge (2 NICs) ==> Tomato based Netgear Router/APs ==> Wired/Wireless Devices.

    I am not using SSL Inspector - I am not sure is it mandatory in my intended scenario or not. As I understand I would have to manually import the certificate on a number of devices (50 plus including PC/Mobiles/TVs/Gaming Consoles/SmartHome IoT) - which is a rather tedious task I am putting off.

    My Scenario - spanning across Policy - Firewall - Application Control
    ==========================================

    Wanted to block access to certain identified devices (Mobiles Phones by IP address) for complete internet blackout during the day except for an hour and a half .

    So made a policy + rule like below - to identify and tag devices for this specific policy

    Clipboard Image.jpg

    Clipboard Image (1).jpg

    Onwards I enabled the bare minimum apps I understood I would need to control access for internet blackout and controlling certain IM apps even when internet is available.

    So added only the below apps - knowing that probably firewall and application control is all what I need.

    Clipboard Image (2).jpg

    Made the following firewall rule

    Clipboard Image (3).jpg

    In addition to the firewall - i wanted to control the IM apps (since I saw that firewall is unable to block - more on that laters) . So used application control as follows

    Clipboard Image (4).jpg

    Revelations
    =======

    After setting up the above - in my wee mind - I had conquered it all and achieved the holy grail of super fine grained control to what and what not can be done on my network - assuming the controls are working as desired.

    I found out that on the target mobiles (devices) - when the policy time is active, the internet reachability is blocked (the Wifi Connection icon on the mobile shows a little cross symbol) plus no browser pages can be opened -- HOWEVER - the IMO + Whatsapp messaging apps on the mobile keeps working - receiving and sending audio/video calls + messages. I am more focused on IMO.

    I tried various modes of connection

    1. One mobile on 5G and another on home network - IMO keeps working.
    2. Both mobiles assigned to the restrictive policy - IMO keeps working.
    3. Establishing an active call session minutes before policy restriction time comes in effect - to see if the call is disconnected - IMO keeps working.

    In short despite internet browsing being blocked (not sure what other background services still work) - the IMO app keep working.

    Seems like firewall and application control are rendered useless to block this app - plus the firewall rule should block all and any kind of access to internet - as i understand.

    Can anyone point me in the right direction if I am missing anything or there is any other way of blocking this/all such apps.

    Thanks for your time and responses.

  2. #2
    Master Untangler
    Join Date
    Jul 2010
    Location
    Nanaimo B.C
    Posts
    866

    Default

    Are you blocking "said" devices via Mac address or ip ? Have you turned off "randomized" mac address on the mobile devices ?

    I created a video for this said Time based rule
    Started Youtube Channel, Have a question about Untangle Ask me : jason @ jasonslab.ca
    https://www.youtube.com/c/jasonslabvideos << Please like and subscribe, helps me out !!

  3. #3
    Untangler
    Join Date
    Oct 2014
    Posts
    35

    Default

    Sure,

    The MAC address is not randomized (this option not present in a bit dated low budget android phone) . It is device default and fixed.

    For larger networks - going as per Untangle recommendation - I am going by a fixed IP address (assigned by static DHCP server).

    Although i have tried enabling the rule via MAC address and to no avail.

    Thanks.

  4. #4
    Master Untangler
    Join Date
    Jul 2010
    Location
    Nanaimo B.C
    Posts
    866

    Default

    Quote Originally Posted by MindVentures View Post
    Sure,

    The MAC address is not randomized (this option not present in a bit dated low budget android phone) . It is device default and fixed.

    For larger networks - going as per Untangle recommendation - I am going by a fixed IP address (assigned by static DHCP server).

    Although i have tried enabling the rule via MAC address and to no avail.

    Thanks.
    If you are going to use ip based, make sure you throw that ip into the reservation pool

    Also have a look at this video, if still stick let us know.

    https://www.youtube.com/watch?v=3g7wNFGn2rQ&t=222s
    Started Youtube Channel, Have a question about Untangle Ask me : jason @ jasonslab.ca
    https://www.youtube.com/c/jasonslabvideos << Please like and subscribe, helps me out !!

  5. #5
    Untangler
    Join Date
    Oct 2014
    Posts
    35

    Default

    Quote Originally Posted by dashpuppy View Post
    If you are going to use ip based, make sure you throw that ip into the reservation pool

    Also have a look at this video, if still stick let us know.

    https://www.youtube.com/watch?v=3g7wNFGn2rQ&t=222s
    Thanks for pointing me to the video.

    I guess my case is a bit more than this according to the details mentioned my OP.

    Following differences exist in the approach shown in the video v/s my scenario.

    1. In the video it seems untangle is handling DHCP host address assignment on the network, however in my case my DHCP is disabled on Untangle and handled through FreshTomato (2021.2) based Netgear router - pretty stable and running like this for long. Have assigned static DHCP binding for all devices - so whenever they connect their MAC gets the same IP from the pool.

    2. Username based approach is also workable, however the identifier to push any device into a certain policy can be IP/MAC/UserName/VLAN Tag and so on, and one can choose based on his/her specific needs . For me IP based identification works fine.

    3. In the video " blocking" the internet is tested (i believe) only via checking browser access to any websites or youtube streaming (as it is mentioned in the video). As I mentioned in my OP, the browser based access restriction is working fine in my setup as well during the given time slot. However during the very same time, the IM mobile apps keep working, hence my query is specifically directed towards blocking the "Internet Messaging Apps on Mobile Devices". I recall I guess i did ask this query earlier and I was directed to do packet capture and analysis. Will give it a try, however it may be something beyond my novice level understanding.

    A tip for time based rule:
    ===============

    As mentioned in the documentation , to apply a rule throughout the whole day and only allow a certain slot of time for it to be disabled, we have to mention the From and To time in reverse order - only for the time slot intended to be blockage free.

    Clipboard Image.jpg

  6. #6
    Untangler
    Join Date
    Oct 2014
    Posts
    35

    Default

    Not much traction on the subject I guess.

    Anyone who can shed some 101 light on packet capture and how to use the findings from it to block certain application.

    Or any pro user - who can test the android app "IMO" in their setup and can guide me to the right direction.

    Your guidance would be appreciated.

  7. #7
    Master Untangler
    Join Date
    Jul 2010
    Location
    Nanaimo B.C
    Posts
    866

    Default

    Quote Originally Posted by MindVentures View Post
    Not much traction on the subject I guess.

    Anyone who can shed some 101 light on packet capture and how to use the findings from it to block certain application.

    Or any pro user - who can test the android app "IMO" in their setup and can guide me to the right direction.

    Your guidance would be appreciated.
    Instead of using a "time" for now, can you try blocking this policy with out it, and see if its actually blocking ?
    Started Youtube Channel, Have a question about Untangle Ask me : jason @ jasonslab.ca
    https://www.youtube.com/c/jasonslabvideos << Please like and subscribe, helps me out !!

  8. #8
    Untangler
    Join Date
    Jan 2021
    Posts
    44

    Default

    Quote Originally Posted by MindVentures View Post
    So after extensive testing I came to the conclusion that IMO (on Android mobile) keeps working even where the internet access is totally blocked.

    My Topology
    ========

    ISP Home Fibre Gateway ==> Untangle Transparent Bridge (2 NICs) ==> Tomato based Netgear Router/APs ==> Wired/Wireless Devices.
    May I ask why you're not using Untangle as your primary router and setting the Netgear as just an access point?

  9. #9
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,947

    Default

    Quote Originally Posted by MP715 View Post
    May I ask why you're not using Untangle as your primary router and setting the Netgear as just an access point?
    Not sure on the OPs motivation, but I've known a few people to do this because the "router" had dhcp features built-in that could only be replicated in Untangle via advanced configuration strings. It's not usually my first choice, but it works fine as long as Untangle is connected to a LAN port instead of the WAN port on the router and is set as the default gateway for the network.

    This configuration choice also has one inherent advantage, in that it keeps your internal network up in the case where Untangle goes down; you won't have internet access, but you'll still have printing, some better-engineered IoT services, file sharing, etc.
    Last edited by jcoehoorn; 08-01-2022 at 10:02 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

  10. #10
    Untangler
    Join Date
    Oct 2014
    Posts
    35

    Default

    Quote Originally Posted by jcoehoorn View Post
    Not sure on the OPs motivation, but I've known a few people to do this because the "router" had dhcp features built-in that could only be replicated in Untangle via advanced configuration strings. It's not usually my first choice, but it works fine as long as Untangle is connected to a LAN port instead of the WAN port on the router and is set as the default gateway for the network.

    This configuration choice also has one inherent advantage, in that it keeps your internal network up in the case where Untangle goes down; you won't have internet access, but you'll still have printing, some better-engineered IoT services, file sharing, etc.
    This as well as some other features on Fresh Tomato which have grown accustomed to for my use cases.

    To name a few :

    Static DHCP Binding / VLAN configs / VPN Client Mode (and VPN routing for selected devices on network) while others use default gateway

    For Ad Blocking i have PiHole as LAN DNS server - but this can also be acheived by custom ad lists in FreshTomato.

    Even a policy without the time boxing , works fine for blocking internet access - in terms of web browsing, media streaming etc. However the mentioned instant messaging app on the mobile device keeps working - although it is available in the "Application Control" (as my screenshot in OP) and I have selected to block/tarpit this application traffic.

    Seems like the app traffic signature is not being correctly detected by Untangle to be blocked.

    1, Is it necessary to use SSL Inspector while trying to use Application Control for blocking apps with encrypted traffic. Is it a must or optional.

    2. Can Untangle look into it, since the application name IMO is already included in built-in stock list of apps which should be easy to block/unblock with a few clicks.

    Cheers.
    Last edited by MindVentures; 08-02-2022 at 04:44 AM.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2