Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 22821 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best method of blocking Internet access?

AZSysAdmin

So, we have some workstations that I want to block from reaching the Internet. They can frolic within our LAN, however due to special reasons I do not want them going out or reaching outside our firewall.
My question is this, what is the best method to restrict such devices? I'm leaning towards the Network Definitions and placing the MAC address here, then will create a firewall rule pertaining to these groups. Would that be advisable? Any other methods?
As well, would it be possible for these groups to have a message appear when blocked? Just to let them know so our Helpdesk doesn't sit there burning a day wondering why this particular machine can't get out? Not as important as first question, just curious if UTM can do this.
Oh, using UTM 9, current 9.351-3 release. Thanks in advance!



This thread was automatically locked due to age.
Parents
  • 0
    Do you just want to block web browsing or ALL Internet destined traffic?

    Well, if you are NOT using Web Protection then you can just create DHCP reservations for those machines and block Internet access via the firewall rules. No messages will appears with this approach.

    If you ARE using Web Protection, you will still need the DHCP reservations. You can create a specific profile for these machines and essentially block ALL categories of websites. Basically, any web browsing would be met by a block page.

    One trick I'm using and was used by another user on the old boards was to scan and decrypt blocked traffic just to be sure it can be scanned and anything bad removed as opposed to just using URL filtering only.
  • 0 in reply to Euphrates
    I wanted to block ALL internet traffic. We are using Web Protection. The DHCP reservation...ugh. So just adding the MAC address won't be enough? Question, I have is at what point or feature of the UTM does the MAC address come into play? Does the Web Protection identify by MAC address...I would think not. Seems to me it would be more IP based, like so many iptables such designs.
    I will work with some of the Web Protection rules for the MAC addresses I entered, it does seem it wants/works best if host is created. Which is there a way to import hosts into UTM?

    Sorry, I have perverted the original question. If I need to post these again, let me know.

    Thanks in advance.
Reply
  • 0 in reply to Euphrates
    I wanted to block ALL internet traffic. We are using Web Protection. The DHCP reservation...ugh. So just adding the MAC address won't be enough? Question, I have is at what point or feature of the UTM does the MAC address come into play? Does the Web Protection identify by MAC address...I would think not. Seems to me it would be more IP based, like so many iptables such designs.
    I will work with some of the Web Protection rules for the MAC addresses I entered, it does seem it wants/works best if host is created. Which is there a way to import hosts into UTM?

    Sorry, I have perverted the original question. If I need to post these again, let me know.

    Thanks in advance.
Children
  • 0 in reply to AZSysAdmin
    The problem with the Sophos UTM design is order of operation. See this feature request from me:

    feature.astaro.com/.../6002187-firewall-order-of-operations

    Essentially, the security services have priority over traffic before the firewall if you enable them. That means putting a rule in the firewall to block web traffic won't work if you have Web Protection enabled as it will look at traffic first (though, it "may" work after Web Protection looks at it then the firewall looks at it).

    As such, you want to use the DHCP features to create DHCP reservations for the devices based on their MAC addresses. Then you can create Host objects for these machines and then a Network Group object and then create a Web Protection policy that blocks all HTTP/HTTPS traffic from these machines. Finally, create a firewall rule to block traffic from that network group to the object "Internet IPv4".

    Again, if you want to provide some sort of "block page" you HAVE to use the Web Protection policies.
Unfiltered HTML