Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[djm]

Hi, I put in a rule to block http-outbound

httpdeny drop lan lannet wan wannet http-outbound

It works but it has the side effect of also blocking microsoft update traffic.

Does anyone know a way that doesn't?

Ideally when a user tried browsing a web page they would get an authorization pop-up and if they enter a valid username/password then they get to browse, otherwise they don't.  Updates should be allowed through without requiring any auth.

Any help would be greatly appreciated.

[silver_surfer30]

The other way is to make a nat rule in the http_outbound service and to create a white list to allow microsoft update on the url filter tab and then to create a blacklist to deny any other web acces.

[djm]

Hi, thanks for the response.  I'm not sure how to do what you suggest.

Do you mean a NAT rule in addition to the rule I already have or instead of it?

What would the settings of the rule be and how do I create a whitelist for it?

Thanks,

David.

[silver_surfer30]

you need to create an http outbound ALG and in the url filter tab add a white liste and the microsoft url in there.
Then add a blacklist with the following *.*/*.
The create an http service and in the alg part select the one you created in the alg menu.

Then create a ip rule using this service.

do not forget the dns service rule and that should solve the issue.

[djm]

I tried it - no luck.  I must be missing something.  All computers can access all web pages with the following setup.

ALG->http-outbound:

Code: [Select]

Blacklist *.*/*
 Whitelist *.update.microsoft.com/*
 Whitelist *.windowsupdate.com/*
Services:

Code: [Select]

http-outbound TCP 80 http-outbound HTTP via HTTP ALG "http-outbound" - strips all active content
IP rule:

Code: [Select]

allow_someHTTP NAT lan lannet wan all-nets http-outbound
I'm guessing that the IP rule should have some other action or something.

[djm]

As an alternative, I disabled all these settings and implemented "8.2.7. HTTP Authentication" of "NetDefendOS_2.26_Firewall_UserManual_v1.10.pdf" which I just downloaded.

I now get asked for a username and password, but once entered get told:

Logged on
You, or someone else from your IP address,
have been granted access.

Click here to log out.

It never moves on to the web page I was trying to access.

Were I to get this working, will it cause grief with windows updates, and if so is it possible to tweak it so that it doesn't?

The settings I added were:
(My LAN is 192.168.54.*)

AddressBook:

Code: [Select]

HTTPAllowed 192.168.54.0/24 WebUsers
I added Rules->IP rules:

Code: [Select]

9 allow_httpProxy Allow lan lannet core lan_ip http-all
10 allow_httpProxy Allow lan lannet core lan_ip http-all
11 allow_httpProxy NAT lan HTTPAllowed wan all-nets http-all
12 allow_httpProxy NAT lan lannet wan all-nets dns-all
13 allow_httpProxy SAT lan lannet wan all-nets http-all
14 allow_httpProxy Allow lan lannet wan all-nets http-all
15 http2fw Allow lan lannet core lan_ip http
Existing rules higher than these were (just in case any of these are causing grief):

Code: [Select]

1 OpenVPN_LAN
  1 OpenVPN_allow FwdFast lan all-nets lan all-nets all_services
  2-5 disabled
  6 OpenVPN_allow Allow any lannet any OpenVPNNet all_services
  7 OpenVPN_allow Allow any OpenVPNNet any lannet all_services
2 OpenVPN_SAT SAT any all-nets core wan_ip OpenVPN
3 OpenVPN_NAT NAT any all-nets core wan_ip OpenVPN
4 SAT_DNS_Relay SAT lan lannet core lan_ip dns-all
5 Allow_DNS_Relay NAT lan lannet core lan_ip dns-all
6 OpenVPN_allow Allow any all-nets core wan_ip OpenVPN
7 SMTP_allow Allow any all-nets lan lannet smtp
8-12 disabled
13 lan_to_wan
  1-3 disabled
  4 drop_smb-all Drop lan lannet wan all-nets smb-all
  5 allow_ping-outbound NAT lan lannet wan all-nets ping-outbound
  6 allow_ftp-passthrough NAT lan lannet wan all-nets ftp-passthrough
  7-8 disabled
  new rules - see above
  16 allow_httpProxy NAT lan lannet any all-nets http

Local User Database:

Code: [Select]

WebUsers
And in WebUsers I added a username and password (no group - do I need to specify a group?).

[djm]

I managed to get a straight block working - i.e. users are unable to access any pages except those on the ALG whitelist, the blacklist contains *.*/*.

Is it possible to combine this with password authentication - so that the whitelist sites are available to everyone, but other sites only available to authenticated users?

[djm]

Is it possible to combine ALG whitelist/blacklist with user authorization?