This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Howto restrict Access to Transparent Proxy (Without Authentication) with firewall rule

Hello,

I´m looking for a possible way to block access to the transparent proxy. The clients are directly connected over wlan and should use the transparent proxy for websurfing. But they should only be able to access the proxy, when the mac address from the client is allowed in that network. I do know, that the webproxy itself doesn´t support mac based access control. But how can I restrict access to the webproxy itself? I´ve tried it with a firewall rule, From:"Wireless Network" protocol:any to:"Wirelessnetwork Interface Address" but the transparent proxy is still accessible. Probably, you will ask yourself, why I´m not restricting the clients connecting to the wlan... This is because, the wlan solution doesn´t support simple L2 restriction lists and now I need the utm to do this for me....

Any ideas, how I can get this working?

Br

Sebastian



This thread was automatically locked due to age.
Parents
  • Sebastian, do you want to block access to the Internet for those not allowed to use the proxy, or to allow them to access via a firewall rule?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    they should be allowed to access the internet, but it´s necessary, that they are only allowed, when they are known devices ( mac address whitelisted in the utm).

    Currently it´s not possible to create such a setup with the proxy (because the transparent proxy acts prior to the firewall rules) and afaik the only way is to except the certain networks from the proxy and create a firewall rule with a mac address list bound to it. In general, for logging purposes, I like devices to always use the proxy to have a log with the requested url and all the useful information.... For Troubleshooting its the best. Now I only have the packetfilter log for this special network, but as these are known devices, thats also a acceptable solution for me.

Reply
  • Hi Bob,

    they should be allowed to access the internet, but it´s necessary, that they are only allowed, when they are known devices ( mac address whitelisted in the utm).

    Currently it´s not possible to create such a setup with the proxy (because the transparent proxy acts prior to the firewall rules) and afaik the only way is to except the certain networks from the proxy and create a firewall rule with a mac address list bound to it. In general, for logging purposes, I like devices to always use the proxy to have a log with the requested url and all the useful information.... For Troubleshooting its the best. Now I only have the packetfilter log for this special network, but as these are known devices, thats also a acceptable solution for me.

Children
  • A DNAT rule matches before proxy interception.

    Instead blocking with a firewall rule you can redirect to a blackhole IP

  • The only way you can accomplish this, Sebastian, is with a separate subnet.

    Create a firewall rule that blocks outbound traffic from that subnet and then make a Web Filtering Profile with 'Allowed Networks'  containing only Static Host definitions for the MACs you want to allow.

    Instead of the Profile, if you want them to go out directly with firewall rules, create a rule above the previous one allowing the traffic from those same Static Hosts.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA