JOEBOX-L Archives

Joebox User

JOEBOX-L@LISTS.MAINE.EDU

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Ray Soucy <[log in to unmask]>
Reply To:
Joebox User <[log in to unmask]>
Date:
Fri, 8 Apr 2011 12:49:23 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (215 lines)
No, "Force MECguard SSL" will block _all_ HTTPS traffic (the idea is
that you check this box after you have your browsers setup to use
MECguard for HTTPS as a proxy server to enforce it).

On Fri, Apr 8, 2011 at 12:36 PM, Jaimie Moores <[log in to unmask]> wrote:
> Does "Force MECGuard SSL" have to be checked in order for the closed port
> rules to work?
>
> Jaimie Moores
> Technology Coordinator
> PowerSchool Administrator
> Machias Memorial High School
>
>
> On Fri, Apr 8, 2011 at 11:34 AM, Ray Soucy <[log in to unmask]> wrote:
>>
>> Facebook currently has 2 IP networks:
>> 1. MailScanner has detected a possible fraud attempt from "66.220.144.0"
>> claiming to be 66.220.144.0/20
>> 2. MailScanner has detected a possible fraud attempt from "69.63.176.0"
>> claiming to be 69.63.176.0/20
>>
>> Steps for a Firewall block of Facebook (as opposed to MECguard):
>>
>> Step 1: Create two "Closed Port" rules with the following settings:
>>
>> Rule 1:
>>
>> Description: Facebook
>> Rule Chain: FORWARD
>> Source Type: Firewall Group
>> Source Group: LAN (or whatever group you want blocked)
>> Destination Type: IP/Hostname
>> Destination IP/Hostname: MailScanner has detected a possible fraud attempt
>> from "66.220.144.0" claiming to be 66.220.144.0/20
>> Protocol: TCP
>> Closed Ports: 80,443
>>
>> Rule 2:
>>
>> Description: Facebook
>> Rule Chain: FORWARD
>> Source Type: Firewall Group
>> Source Group: LAN (or whatever group you want blocked)
>> Destination Type: IP/Hostname
>> Destination IP/Hostname: MailScanner has detected a possible fraud attempt
>> from "69.63.176.0" claiming to be 69.63.176.0/20
>> Protocol: TCP
>> Closed Ports: 80,443
>>
>> On Fri, Apr 8, 2011 at 11:14 AM, Eric R. Warren <[log in to unmask]>
>> wrote:
>> > That's a useful trick!  Would you mind sharing those Facebook-blocking
>> > settings with us?
>> >
>> > Eric
>> > MSAD 45
>> >
>> > -----Original Message-----
>> > From: Joebox User [mailto:[log in to unmask]] On Behalf Of Ray
>> > Soucy
>> > Sent: Friday, April 08, 2011 11:08 AM
>> > To: [log in to unmask]
>> > Subject: Re: Joebox Updates
>> >
>> > Linda,
>> >
>> > If you were using the old "MECguard SSL" it would no longer be active
>> > after the upgrade (to my knowledge only a handful of people were
>> > trying to use it because of all the browser errors it would generate).
>> >
>> > The "Force MECguard SSL" option will block SSL requests unless made
>> > using a proxy server, but requires that browsers know about the proxy
>> > server (as described in the MECguard notes I posted a few days ago).
>> >
>> > Other than that, it shouldn't have changed.
>> >
>> > I've created two "Closed Port" rules in your Firewall that will block
>> > web access to the Facebook IP networks, but left them disabled.  You
>> > can enable these rules and restart your firewall if you want to start
>> > blocking access to Facebook over HTTPS.
>> >
>> > I've noticed that you only have one Group for MECguard.  If you block
>> > Facebook using the Firewall you might want to create a "Teachers"
>> > group with the IP addresses of teacher PCs so you can create a rule to
>> > not block Facebook for those users.
>> >
>> > Because you're running a "LOW" Firewall policy, you'll need to apply
>> > the 12.1 software update before Open Port rules to do this will work,
>> > the Software Update can be run at any time.
>> >
>> > Feel free to give support a call if you'd like us to do any of this
>> > for you: 1-888-367-6756
>> >
>> > Sorry about any disruption... The upgrade was a major change and
>> > required a manual process to apply.  Future updates will be provided
>> > through the Software Update tool and be left up to you to apply.
>> >
>> > On Fri, Apr 8, 2011 at 9:38 AM, Linda Chaisson <[log in to unmask]>
>> > wrote:
>> >> Ray:
>> >> Previously our students couldn’t get to facebook by adding the s to
>> >> http
>> > and
>> >> now they can. Was anything changed?
>> >> Thanks,
>> >> Linda
>> >>
>> >>
>> >>
>> >> On 4/6/11 1:24 PM, "Ray Soucy" <[log in to unmask]> wrote:
>> >>
>> >> We realize that for many of you it seems like you just upgraded, but
>> >> some of you have been running the code for over a month and have found
>> >> a bug or two.  We have a minor update available.
>> >>
>> >> Feel free to apply this update using the "Software Update" tool on the
>> >> Joebox at your convince.  This is a non-critical update and can be
>> >> applied at any time.
>> >>
>> >> As always, if you need help running the Software Update utility, or
>> >> encounter any problems, please give us a call: 1-888-367-6756
>> >>
>> >> New packages are labeled 12.1.
>> >>
>> >> Change Log:
>> >>
>> >> 1. A "Reinitialize Firewall" button has been added to the Firewall
>> >> options page.  This button does a forced restart of the Firewall
>> >> service (all rules are flushed and re-added) to recover from the
>> >> Firewall Engine becoming out of sync.  If you run into a situation
>> >> where using this button is the only way to "fix" your Joebox please
>> >> contact us so we can take a look at your configuration and track down
>> >> the invalid rule that is causing problems.
>> >>
>> >> 2. Port Forward rules with protocol "IP" weren't ignoring port fields
>> >> (causing invalid rules).   This is now fixed.
>> >>
>> >> 3. Open Port rules were not being applied when a Firewall policy level
>> >> of LOW was in use.  They should now be applied correctly.
>> >>
>> >> 4. In isolated circumstances, some traffic making use of TCP window
>> >> scaling was being marked as INVALID by connection state tracking and
>> >> being dropped by the Firewall.  This was found to be affecting less
>> >> than 1% of traffic.  This should now be fixed, as TCP window size is
>> >> no longer used to determine packet validity.
>> >>
>> >> 5. Minor update to SNMP to facilitate changes in Joebox monitoring by
>> >> Networkmaine.
>> >>
>> >> 6. Minor UI update to fix changing of static route to be applied
>> >> without
>> >> reboot.
>> >>
>> >> 7. Minor UI update to allow DHCP service to be disable if in a failed
>> >> status (e.g. enabled without a valid configuration), mostly to get rid
>> >> of the "red" status indicator for sites not using DHCP on the Joebox.
>> >>
>> >> Linda Chaisson
>> >> Technology Coordinator
>> >> Regional School Unit 16
>> >> C/O PRHS - 1457 Maine Street
>> >> Poland, ME 04274
>> >> 207-998-5400 Ext 103
>> >> [log in to unmask]
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > Ray Soucy
>> >
>> > Epic Communications Specialist
>> >
>> > Phone: +1 (207) 561-3526
>> >
>> > Networkmaine, a Unit of the University of Maine System
>> > http://www.networkmaine.net/
>> >
>>
>>
>>
>> --
>> Ray Soucy
>>
>> Epic Communications Specialist
>>
>> Phone: +1 (207) 561-3526
>>
>> Networkmaine, a Unit of the University of Maine System
>> http://www.networkmaine.net/
>
> The information transmitted herein is intended only for the person or entity
> to which it is addressed and may contain confidential material. Any review,
> retransmission, dissemination or other use of, or taking of any action in
> reliance upon, this information by persons or entities other than the
> intended recipient is prohibited. If you received this in error, please
> contact the sender and delete the e-mail and any attachments from any
> computer.
>
>



-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

ATOM RSS1 RSS2