No, "Force MECguard SSL" will block _all_ HTTPS traffic (the idea is that you check this box after you have your browsers setup to use MECguard for HTTPS as a proxy server to enforce it). On Fri, Apr 8, 2011 at 12:36 PM, Jaimie Moores <[log in to unmask]> wrote: > Does "Force MECGuard SSL" have to be checked in order for the closed port > rules to work? > > Jaimie Moores > Technology Coordinator > PowerSchool Administrator > Machias Memorial High School > > > On Fri, Apr 8, 2011 at 11:34 AM, Ray Soucy <[log in to unmask]> wrote: >> >> Facebook currently has 2 IP networks: >> 1. MailScanner has detected a possible fraud attempt from "66.220.144.0" >> claiming to be 66.220.144.0/20 >> 2. MailScanner has detected a possible fraud attempt from "69.63.176.0" >> claiming to be 69.63.176.0/20 >> >> Steps for a Firewall block of Facebook (as opposed to MECguard): >> >> Step 1: Create two "Closed Port" rules with the following settings: >> >> Rule 1: >> >> Description: Facebook >> Rule Chain: FORWARD >> Source Type: Firewall Group >> Source Group: LAN (or whatever group you want blocked) >> Destination Type: IP/Hostname >> Destination IP/Hostname: MailScanner has detected a possible fraud attempt >> from "66.220.144.0" claiming to be 66.220.144.0/20 >> Protocol: TCP >> Closed Ports: 80,443 >> >> Rule 2: >> >> Description: Facebook >> Rule Chain: FORWARD >> Source Type: Firewall Group >> Source Group: LAN (or whatever group you want blocked) >> Destination Type: IP/Hostname >> Destination IP/Hostname: MailScanner has detected a possible fraud attempt >> from "69.63.176.0" claiming to be 69.63.176.0/20 >> Protocol: TCP >> Closed Ports: 80,443 >> >> On Fri, Apr 8, 2011 at 11:14 AM, Eric R. Warren <[log in to unmask]> >> wrote: >> > That's a useful trick! Would you mind sharing those Facebook-blocking >> > settings with us? >> > >> > Eric >> > MSAD 45 >> > >> > -----Original Message----- >> > From: Joebox User [mailto:[log in to unmask]] On Behalf Of Ray >> > Soucy >> > Sent: Friday, April 08, 2011 11:08 AM >> > To: [log in to unmask] >> > Subject: Re: Joebox Updates >> > >> > Linda, >> > >> > If you were using the old "MECguard SSL" it would no longer be active >> > after the upgrade (to my knowledge only a handful of people were >> > trying to use it because of all the browser errors it would generate). >> > >> > The "Force MECguard SSL" option will block SSL requests unless made >> > using a proxy server, but requires that browsers know about the proxy >> > server (as described in the MECguard notes I posted a few days ago). >> > >> > Other than that, it shouldn't have changed. >> > >> > I've created two "Closed Port" rules in your Firewall that will block >> > web access to the Facebook IP networks, but left them disabled. You >> > can enable these rules and restart your firewall if you want to start >> > blocking access to Facebook over HTTPS. >> > >> > I've noticed that you only have one Group for MECguard. If you block >> > Facebook using the Firewall you might want to create a "Teachers" >> > group with the IP addresses of teacher PCs so you can create a rule to >> > not block Facebook for those users. >> > >> > Because you're running a "LOW" Firewall policy, you'll need to apply >> > the 12.1 software update before Open Port rules to do this will work, >> > the Software Update can be run at any time. >> > >> > Feel free to give support a call if you'd like us to do any of this >> > for you: 1-888-367-6756 >> > >> > Sorry about any disruption... The upgrade was a major change and >> > required a manual process to apply. Future updates will be provided >> > through the Software Update tool and be left up to you to apply. >> > >> > On Fri, Apr 8, 2011 at 9:38 AM, Linda Chaisson <[log in to unmask]> >> > wrote: >> >> Ray: >> >> Previously our students couldn’t get to facebook by adding the s to >> >> http >> > and >> >> now they can. Was anything changed? >> >> Thanks, >> >> Linda >> >> >> >> >> >> >> >> On 4/6/11 1:24 PM, "Ray Soucy" <[log in to unmask]> wrote: >> >> >> >> We realize that for many of you it seems like you just upgraded, but >> >> some of you have been running the code for over a month and have found >> >> a bug or two. We have a minor update available. >> >> >> >> Feel free to apply this update using the "Software Update" tool on the >> >> Joebox at your convince. This is a non-critical update and can be >> >> applied at any time. >> >> >> >> As always, if you need help running the Software Update utility, or >> >> encounter any problems, please give us a call: 1-888-367-6756 >> >> >> >> New packages are labeled 12.1. >> >> >> >> Change Log: >> >> >> >> 1. A "Reinitialize Firewall" button has been added to the Firewall >> >> options page. This button does a forced restart of the Firewall >> >> service (all rules are flushed and re-added) to recover from the >> >> Firewall Engine becoming out of sync. If you run into a situation >> >> where using this button is the only way to "fix" your Joebox please >> >> contact us so we can take a look at your configuration and track down >> >> the invalid rule that is causing problems. >> >> >> >> 2. Port Forward rules with protocol "IP" weren't ignoring port fields >> >> (causing invalid rules). This is now fixed. >> >> >> >> 3. Open Port rules were not being applied when a Firewall policy level >> >> of LOW was in use. They should now be applied correctly. >> >> >> >> 4. In isolated circumstances, some traffic making use of TCP window >> >> scaling was being marked as INVALID by connection state tracking and >> >> being dropped by the Firewall. This was found to be affecting less >> >> than 1% of traffic. This should now be fixed, as TCP window size is >> >> no longer used to determine packet validity. >> >> >> >> 5. Minor update to SNMP to facilitate changes in Joebox monitoring by >> >> Networkmaine. >> >> >> >> 6. Minor UI update to fix changing of static route to be applied >> >> without >> >> reboot. >> >> >> >> 7. Minor UI update to allow DHCP service to be disable if in a failed >> >> status (e.g. enabled without a valid configuration), mostly to get rid >> >> of the "red" status indicator for sites not using DHCP on the Joebox. >> >> >> >> Linda Chaisson >> >> Technology Coordinator >> >> Regional School Unit 16 >> >> C/O PRHS - 1457 Maine Street >> >> Poland, ME 04274 >> >> 207-998-5400 Ext 103 >> >> [log in to unmask] >> >> >> >> >> > >> > >> > >> > -- >> > Ray Soucy >> > >> > Epic Communications Specialist >> > >> > Phone: +1 (207) 561-3526 >> > >> > Networkmaine, a Unit of the University of Maine System >> > http://www.networkmaine.net/ >> > >> >> >> >> -- >> Ray Soucy >> >> Epic Communications Specialist >> >> Phone: +1 (207) 561-3526 >> >> Networkmaine, a Unit of the University of Maine System >> http://www.networkmaine.net/ > > The information transmitted herein is intended only for the person or entity > to which it is addressed and may contain confidential material. Any review, > retransmission, dissemination or other use of, or taking of any action in > reliance upon, this information by persons or entities other than the > intended recipient is prohibited. If you received this in error, please > contact the sender and delete the e-mail and any attachments from any > computer. > > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/