-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm not using linux. :) Layer 7 filtering requires application-level proxy or DPI. We talking about filtering, isn't it? On Cisco this task requires a bit investigation (sniffing and tcpiputils.com) and simple add some ACL's: ip access-list extended TO_INET remark Network 100 is passed permit ip 192.168.100.0 0.0.0.255 any remark Hamachi deny ip 25.0.0.0 0.255.255.255 any deny ip 64.34.106.0 0.0.0.255 any deny ip any host 69.25.21.195 deny ip any host 74.201.75.195 deny ip any host 146.255.195.92 remark ZenMate servers deny ip any 162.159.244.0 0.0.0.255 deny ip any 78.137.96.0 0.0.7.255 deny ip any 46.165.192.0 0.0.63.255 deny ip any 207.244.64.0 0.0.63.255 deny ip any 178.162.128.0 0.0.127.255 deny ip any 179.43.128.0 0.0.31.255 deny ip any 88.150.192.0 0.0.31.255 deny ip any 31.7.56.0 0.0.7.255 deny ip any 185.12.44.0 0.0.3.255 deny ip any 103.10.197.0 0.0.0.255 deny ip any 37.58.48.0 0.0.15.255 deny ip any 5.152.192.0 0.0.31.255 deny ip any 81.17.16.0 0.0.15.255 deny ip any 199.115.112.0 0.0.7.255 deny ip any 103.10.199.0 0.0.0.255 remark Opera Turbo servers deny ip any 37.228.104.0 0.0.7.255 deny ip any 141.0.8.0 0.0.7.255 deny ip any 82.145.208.0 0.0.15.255 deny ip any 195.189.142.0 0.0.1.255 deny ip any 185.26.180.0 0.0.3.255 remark Ultrasurf port deny tcp any any eq 9666 remark Hola deny ip any host 107.22.193.119 deny ip any host 54.225.121.9 deny ip any host 54.225.227.202 deny ip any host 54.243.128.120 deny tcp any any eq 6851 deny tcp any any eq 6861 deny ip any 107.155.75.0 0.0.0.255 deny ip any 103.18.42.0 0.0.0.255 deny ip any 103.27.232.0 0.0.0.255 deny ip any 103.4.16.0 0.0.0.255 deny ip any 103.6.87.0 0.0.0.255 deny ip any 104.131.128.0 0.0.15.255 deny ip any 106.185.0.0 0.0.127.255 deny ip any 106.186.64.0 0.0.63.255 deny ip any 106.187.0.0 0.0.63.255 deny ip any 107.155.85.0 0.0.0.255 deny ip any 107.161.144.0 0.0.7.255 deny ip any 107.170.0.0 0.0.127.255 deny ip any 107.181.166.0 0.0.0.255 deny ip any 107.190.128.0 0.0.15.255 deny ip any 107.191.100.0 0.0.3.255 deny ip any 108.61.208.0 0.0.1.255 deny ip any 109.74.192.0 0.0.15.255 deny ip any 128.199.128.0 0.0.63.255 deny ip any 14.136.236.0 0.0.0.255 deny ip any 149.154.157.0 0.0.0.255 deny ip any 149.62.168.0 0.0.3.255 deny ip any 151.236.18.0 0.0.0.255 deny ip any 158.255.208.0 0.0.0.255 deny ip any 162.213.197.0 0.0.0.255 deny ip any 162.217.132.0 0.0.3.255 deny ip any 162.218.92.0 0.0.1.255 deny ip any 162.221.180.0 0.0.1.255 deny ip any 162.243.0.0 0.0.127.255 deny ip any 167.88.112.0 0.0.3.255 deny ip any 168.235.64.0 0.0.3.255 deny ip any 173.255.192.0 0.0.15.255 deny ip any 176.58.96.0 0.0.31.255 deny ip any 176.9.0.0 0.0.255.255 deny ip any 177.67.81.0 0.0.0.255 deny ip any 178.209.32.0 0.0.31.255 deny ip any 178.79.128.0 0.0.63.255 deny ip any 192.110.160.0 0.0.0.255 deny ip any 192.121.112.0 0.0.0.255 deny ip any 192.184.80.0 0.0.7.255 deny ip any 192.211.49.0 0.0.0.255 deny ip any 192.241.160.0 0.0.31.255 deny ip any 192.30.32.0 0.0.3.255 deny ip any 192.34.56.0 0.0.7.255 deny ip any 192.40.56.0 0.0.0.255 deny ip any 192.73.232.0 0.0.7.255 deny ip any 192.81.208.0 0.0.7.255 deny ip any 192.99.0.0 0.0.255.255 deny ip any 198.147.20.0 0.0.0.255 deny ip any 198.211.96.0 0.0.15.255 deny ip any 198.58.96.0 0.0.31.255 deny ip any 199.241.28.0 0.0.3.255 deny ip any 208.68.36.0 0.0.3.255 deny ip any 209.222.30.0 0.0.0.255 deny ip any 213.229.64.0 0.0.63.255 deny ip any 217.170.192.0 0.0.15.255 deny ip any 217.78.0.0 0.0.15.255 deny ip any 23.227.160.0 0.0.0.255 deny ip any 23.249.168.0 0.0.1.255 deny ip any 23.29.124.0 0.0.0.255 deny ip any 31.193.128.0 0.0.15.255 deny ip any 31.220.24.0 0.0.3.255 deny ip any 37.139.0.0 0.0.31.255 deny ip any 37.235.52.0 0.0.0.255 deny ip any 41.215.240.0 0.0.0.255 deny ip any 41.223.52.0 0.0.0.255 deny ip any 46.17.56.0 0.0.7.255 deny ip any 46.19.136.0 0.0.7.255 deny ip any 46.246.0.0 0.0.127.255 deny ip any 46.38.48.0 0.0.7.255 deny ip any 46.4.0.0 0.0.255.255 deny ip any 5.9.0.0 0.0.255.255 deny ip any 50.116.32.0 0.0.15.255 deny ip any 66.85.128.0 0.0.63.255 deny ip any 74.82.192.0 0.0.31.255 deny ip any 77.237.248.0 0.0.1.255 deny ip any 81.4.108.0 0.0.3.255 deny ip any 85.234.128.0 0.0.31.255 deny ip any 88.150.156.0 0.0.3.255 deny ip any 91.186.0.0 0.0.31.255 deny ip any 92.222.0.0 0.0.255.255 deny ip any 92.48.64.0 0.0.63.255 deny ip any 94.76.192.0 0.0.63.255 deny ip any 95.215.44.0 0.0.3.255 deny ip any 96.126.96.0 0.0.7.255 remark Browsec deny ip any 178.62.64.0 0.0.63.255 deny ip any 188.226.128.0 0.0.127.255 deny ip any 128.199.192.0 0.0.63.255 deny ip any 104.131.0.0 0.0.63.255 remark Stealthy deny ip any 118.97.128.0 0.0.15.255 deny ip any 41.231.0.0 0.0.255.255 deny ip any 195.154.0.0 0.0.255.255 remark AWS botnet deny ip any 54.0.0.0 0.255.255.255 remark Finally pass internal LAN to NAT permit ip 192.168.0.0 0.0.255.255 any That's all. The same manner you can blocked almost any unwanted traffic/apps. Oh, yes. Sometimes landing networks for any VPN/proxy bypass tools can change. So, you need to monitor network activity and add needful networks to block list. Or exclude some /32 addressess from ban - for good sites who are in the same address range as your banned app. 06.02.2015 14:09, Job пишет: > Hello Yuri! > >>> Only before Squid - using Cisco or something like. >>> Either Cisco acl's, or NBAR protocol discovery. > > is there a way to implement a sort of layer 7 for hotshield vpn (or ultrasurf) working on Linux? > > Thank you again! > Francesco -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJU1HpAAAoJENNXIZxhPexGR5IH/3iQtvEdmfDU2RNP3odR5KQ8 j06zL50+0Q+U94Mf3Sk/V3OIeAnw8d3RmbJMVbNMwlwaYL9sqN5ByyInt3CCLQIB 663PVUt/GvuDJIgU2ObUcZVm0Q2tVIpd3hwRF8rc67ZktmdpfXj/RR9dFe/GCx9+ zcxXXAsYl7DHjVfZCeVL3qoqN0tnwtIbO57IDdQCbyuvk30oJ+7jf+Sg7nhLVGol W7L7vwdlZkJuzkb8GedzxN9Hc9Td7IgOQmBlYHK+E/VwE+yrTSUp6+rHRaGy2nGq wEwMvyPPFvbTFNsUeUCd3eslcDmcFSDzqnX0aB5LUf0gpmMuuw5XFD/aJKFsi40= =hjUX -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
