Block traffic from specific machines, unless they are logged in with the client

Hi.  I have a set of Mac addresses, for which I'd like to block traffic unless they are logged in.

 

I'd simultaneously like to avoid this setup in the firewall screen:

  • Let authenticated users through (Rule 1)
  • Block all unauthenticated users (Rule 2)

Because I have an army of machines on the network I'd prefer remain unaffected by this condition.

My first instinct was to create a clientless group for these MAC addresses, but it appears that the clientless group supersedes the client-based authentication.  My log was full of:

"User abc failed to login to Firewall through authentication mechanism from 192.168.168.33 because of Already login as clientless user"

Thank you!

  • Hi,

    from your description you are not using a login server or AD network access control? How do you control your user access to network services?

    Ian

  • In reply to rfcat_vk:

    Thanks for the help! Appreciated!

     

    Currently, the users are added right into the Sophos Authentication > Users area.

     

    To paint a better picture, these are shared computers used for testing and such tasks in a relatively open area. I want to ensure that users log in using the Sophos client before they work.

     

    So far, I've been able to disable them by:

    • binding their MAC address to specific IP addresses in the DHCP configuration
    • binding those IP addresses to clientless users
    • adding those clientless users to a specific clientless user group
    • creating a firewall rule that denies access to that specific clientless user group

    Unfortunately, it's the re-enabling access part that doesn't seem to work.  

    In the groups area, I am able to set order, I would have thought that this order affects 'authentication' order, but it looks like whatever I try, the user cannot log in since that machine is already logged in as a 'clientless user'.

     

  • In reply to Alexandre Lemaire:

    Hi,

    the way to change user status  is in clienteles click the user, change the status, wait a short time, then change the status again that will enable a new connection. You can select a number of individual clientless users by the filter and change their status at the same time.

    I had a play with that reorder function and not sure what the role of that feature is? 

    Ian

  • In reply to rfcat_vk:

    Yeah not sure what the ordering feature is for either.

    If I toggle the clientless users as 'inactive', won't that let these machines through the firewall given how I've set things up?

  • In reply to Alexandre Lemaire:

    Hi,

    no, that blocks access to the internet eg drops connections. It is the recommended way of stopping and restarting connections otherwise a restart is required.

    Because you have linked the clientless user to a specific firewall rule it will be blocked until you re-enable it.


    Ian

  • In reply to rfcat_vk:

    Unfortunately when I try that, it lets the computers right through. I think the semantic is indeed to disable the binding.

  • In reply to Alexandre Lemaire:

    Hi,

    the answer to that is very simple, you do not have any groups selected in your iopther rules which allows any device to access the internet.

    The difficult part for you is to add groups to each firewall rule.

    Ian