pfSense » pfSense Packages

Ref for research of UPP get requests:
https://forum.netgate.com/topic/182866/universal-procedure-pointers-upp-mzstatic-com-s-mode-of-access-redirector-question

a tunnel within a tunnel. Or The coined term could be "Universal Procedure Pointer GET requests." are starting to occur more frequently on proxies. Can code please be added to detect when the IP stays the same and a UPP get request connection occurs?

Example of use: SSL intercept based proxy in use with certificates installed on all devices the firewall has the itunes and apple music domains configured to be whitelisted such that they bypass the SSL proxy for use with proxy transparent mode. (advanced manually configured)

What occurs: After a request goes to a whitelisted domain such as apple music the same ip directly after is being used as a tunneled redirect right to the image server "mzstatic". Keep in mind mzstatic has not been approved yet for use with the SSL bypass, however it occurs unknowingly and uses that open tunnel.

The concern is the mode of use. This ability to redirect and or piggyback off any whitelisted domain in a firewall, such that the get request starts to use the same ip address for new URLs is essentially a non approved tunnel within a established ssl tunnel.

How can this be set up to block if it was abused by something else outside of Apple? How can this new mode of redirect be proxied when not approved? Simply put yes a firewall can be configured to block the other address. Again, that is after the damage is done and then it's to late. It takes a firewall admin to spot it only after it has already been used several times and only after it's spotted to establish block rules when needed. For an invasive actor it only takes one usage of such a tool to achieve an objective.

Has anyone else seen this outside of apple?

This request is for a new feature inside of the Squid Package. New UPP Get requests are being used to bypass firewall rules.