Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 5 subscribers
  • Views 4038 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blackhole DNAT not working

Horsting

Hello,

I want to be able to block a clients complete traffic to the internet on the UTM.

To not create seperate firewall and web protection rules, I found out that you can create a blackhole DNAT rule so that all traffic for this clients goes to nirvana. I tried the following:

1. Created new group "BAD_CLIENTS". There I can put the clients to block with their IP or DNS name, e.g. "192.168.1.222" or "CLIENT-122.DOMAIN.LOCAL".

2. Created new DNAT rule with automatically created firewall rule:

Position: 1

Type: DNAT

Source: Group "BAD_CLIENTS"

Service: Any

Destination: Internet IPv4

---

Change Destination: 1.2.3.4

 

The clients in the BAD_CLIENTS group are not longer able to ping any internet adress, e.g. google.com. But they can still access all internet via browser??

Is my configuration wrong or am I thinking wrong?

 

What is the fastest, easiest and effective way to block all internet traffic of clients?



This thread was automatically locked due to age.
Parents
  • +1

    i think your "bad client" use the proxy and the blackhole DNAT rule don't match.

    try to add your BAD_CLIENTS group to the transparent-proxy exceptions.

    If you use Proxy in standard mode, build a Proxy profile for clients from "BAD_CLIENTS group" and deny all webpages.

    There is a document by Balfson which illustrates the packet flow through the SG. I will insert a link if I find it.

     


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    dirkkotte said:

    i think your "bad client" use the proxy and the blackhole DNAT rule don't match.

    I thought DNAT comes before Web Filter...?

     

    dirkkotte said:

    try to add your BAD_CLIENTS group to the transparent-proxy exceptions.

    Great, seems to work, thank you.

     

    dirkkotte said:

    There is a document by Balfson which illustrates the packet flow through the SG. I will insert a link if I find it.

    Do you mean the two pictures at the end of the Rulz Post? I already saw them but could not interprate them really for me problem.

     

    One more question:

    Now I have these two points:

    1. DNAT rule for BAD_CLIENTS so that all their traffic will be redirected to nirvana (except website access using web filter transparent proxy)

    2. Web filter transparent proxy exeption for BAD_CLIENTS so that their website accesses are not going to the webfilter.

    -> Now the only thing I have to do for blocking a clients whole internet traffic is to add the client to the BAD_CLIENTS group. Correct?

    --> I can add clients with their IP or DNS name. Is it possible to add their MAC address?

Reply
  • 0 in reply to dirkkotte

    dirkkotte said:

    i think your "bad client" use the proxy and the blackhole DNAT rule don't match.

    I thought DNAT comes before Web Filter...?

     

    dirkkotte said:

    try to add your BAD_CLIENTS group to the transparent-proxy exceptions.

    Great, seems to work, thank you.

     

    dirkkotte said:

    There is a document by Balfson which illustrates the packet flow through the SG. I will insert a link if I find it.

    Do you mean the two pictures at the end of the Rulz Post? I already saw them but could not interprate them really for me problem.

     

    One more question:

    Now I have these two points:

    1. DNAT rule for BAD_CLIENTS so that all their traffic will be redirected to nirvana (except website access using web filter transparent proxy)

    2. Web filter transparent proxy exeption for BAD_CLIENTS so that their website accesses are not going to the webfilter.

    -> Now the only thing I have to do for blocking a clients whole internet traffic is to add the client to the BAD_CLIENTS group. Correct?

    --> I can add clients with their IP or DNS name. Is it possible to add their MAC address?

Children
No Data
Unfiltered HTML