I think the first rule is obsolete. It’s not needed and to give a host group ANY to RED is a securitiy risk, IMO. Everything which should be allowed is allowed already out of the box, if no further rule is written.
And IIUC the first rule allows the traffic and no further rule will take action. AFAIK the firewall checks all rules until a rule matches, so if the first rule alows traffic all time it is allowed all time.
So better is to only block at certain times and never use ANY to RED.
In the second rule I see the time 00:00-07:29 and in the first rule is 07:00-19:29. This time conditions are overlapping. I think it should be 00:00-06:59 or if you delete the first rule 00:00-07:00.
yes, but it was only a documentation error here. The time frames on the firewall are correct.
I deleted the first rule and nothing changes, the clients are not blocked.
host group ANY to RED is a securitiy risk
This an imported hint. Thank you. Is it possible to bundle some protocol/ports (e.g. http+https) in one rule, or do I have to create a single role for each protocol/port?
It is possible to bundle ports. Create a service xy and give the ports you want to block or allow 1,3,5,17,… or 5000:5500 (not sure if it’s “:” or “-”).
Example:
Then use this service-object to create a rule.
I can confirm that using squid proxy as a security measure works VERY well with time based schedules. I have clients that required No Client acces to internet (mail etc), only via controlled proxy. Lunch break and night shift were allow access to eg. Facebook, Tinder, Newspapers and such, only few groups like management and marketing were allowed more access liberties…
Firewall only allows servers (web, mail etc.) access AND the Proxy Server.
The Proxy decides which client can connect to what and when…
I did that a few years back with SME Server, the predecessor to NethServer. The firewall was another dedicated firewall, at the time i think it was a sonicwall. The company was taken over a few years back, and folded shortly thereafter, after the new management decided to implement external servers, SAP and other oversized items…
Unfortunately, I lost my archives a while back, when lightning strunk my non UPS protected home and burned my NAS and the external Disk Backup thereof…
However, these might help you:
As far as I’m aware, this still needs manual templates of squid.conf (As in SME-Server years ago)
and needs thourough testing of the rules and their loading. The rules needed to be loaded in the right order, with the http_access deny all at the end of that config-file segment.
Customize the wpad to distribute the optimal proxy settings to your clients, test it, and then close your firewall and test again!
There are also a few good sites containing tips about what you can do with just wpad alone!
Your mileage may vary, but here it’s well worth it.
You can even customize the “Error message” displayed, like “According to contract, this web site “YYY” is only available from 19:00-07:00, all other access attempts will be reported to HR…”
It’s not that difficult, seeing the samples info (The two weblinks provided above).
Make a copy first of the existing /etc/e-smith/templates/etc/squid/squid.conf/ to
/etc/e-smith/templates-custom/etc//squid/squid.conf/. The folders at the target do not exist yet!
Use an independent PC, where you force the Proxy (Windows: See Internet Options, Connections, LAN…). The Proxy can be restarted independent of the server, so if you make a typo, you’re not blocking everyone off the internet until you get the rules right!
It’s also worthwhile making Squid ACL-Groups for “allowed” PC’s, and “all other PCs” to make later editing easier and more transparent.
Hi, Guys, I tested a lot of rules… Not a single rule blocks access to anything!
Finally, I have simplified my requirement and want to build up from a baseline:
Case 1: Req: Block most internet traffic of a client related to loading non specific payload from websites, streaming servers …, assumption: FW have to block https Solution:
Result: all traffic passes the firewall, the role has no effect
Case 2: Req: Block most internet traffic of a client related to loading non specific payload from websites, streaming servers …, assumption: FW have to block squid
** Result**: all traffic passes the firewall, the role has no effect
Case 3: Req: Block most internet traffic of a client related to loading non-specific payload from websites, streaming servers …, assumption: FW have to block httpd-service
Simple and short: rules cannot match traffic. So they don’t work as you expect.
As usual: computers do what they are told to, not what you’re thinking or hoping…
Unless of bugs, of course…
Ok, thank for this notice. How I should understand this? If I can select a specific service, the role should suppress traffic /connections related to the selected service. If not, what then is the deeper meaning behind such service-oriented roles? Is there somewhere I can read more about what to do and what not to do when the firewall is configured correctly (best practices)? The docs are not really helpful.
Finally, I would like to block internet use overnight for the children.
I wanted to approach the solution step by step and in the first step I wanted to prevent a client from using the internet (in my thinking traffic to RED or from RED???).
In a next step I would try to plan this time controlled. In a further step maybe more specific like “block everything but iTunes music”. So I wanted to get a solution step by step on the one hand and on the other hand I wanted to improve my understanding of the technique step by step.
When the DPI module is active, new items for the Service field are available in the Edit rule form. Those items are labeledDPI protocol , among the usual network service and service object items.
But I don’t find any specific labeled services “DPI-Service” to address a rule.
In my understand should this rule…
…block all traffic based on https-protocol for the clients inside the host group “kind”.
If not, what then is the deeper meaning behind such service-oriented roles?
inside the NtopNG Documentation I found a list ob nDPI-Protocols:
Zusammenfassung
We are continuously extending nDPI and so far many protocols are supported including
FTP_CONTROL
POP3
SMTP
IMAP
DNS
IPP
HTTP
MDNS
NTP
NetBIOS
NFS
SSDP
BGP
SNMP
XDMCP
SMBv1
Syslog
DHCP
PostgreSQL
MySQL
Hotmail
Direct_Download_Link
POPS
AppleJuice
DirectConnect
ntop
COAP
VMware
SMTPS
FacebookZero
UBNTAC2
Kontiki
OpenFT
FastTrack
Gnutella
eDonkey
BitTorrent
SkypeCall
Signal
Memcached
SMBv23
Mining
NestLogSink
Modbus
Xbox
QQ
TikTok
RTSP
IMAPS
IceCast
PPLive
PPStream
Zattoo
ShoutCast
Sopcast
Tvants
TVUplayer
HTTP_Download
QQLive
Thunder
Soulseek
SSL_No_Cert
IRC
Ayiya
Unencrypted_Jabber
MSN
Oscar
Yahoo
BattleField
GooglePlus
VRRP
Steam
HalfLife2
WorldOfWarcraft
Telnet
STUN
IPsec
GRE
ICMP
IGMP
EGP
SCTP
OSPF
IP_in_IP
RTP
RDP
VNC
PcAnywhere
SSL
SSH
Usenet
MGCP
IAX
TFTP
AFP
Stealthnet
Aimini
SIP
TruPhone
ICMPV6
DHCPV6
Armagetron
Crossfire
Dofus
Fiesta
Florensia
Guildwars
HTTP_ActiveSync
Kerberos
LDAP
MapleStory
MsSQL-TDS
PPTP
Warcraft3
WorldOfKungFu
Slack
Facebook
Twitter
Dropbox
GMail
GoogleMaps
YouTube
Skype
Google
DCE_RPC
NetFlow
sFlow
HTTP_Connect
HTTP_Proxy
Citrix
NetFlix
LastFM
Waze
YouTubeUpload
GenericProtocol
CHECKMK
AJP
Apple
Webex
WhatsApp
AppleiCloud
Viber
AppleiTunes
Radius
WindowsUpdate
TeamViewer
Tuenti
LotusNotes
SAP
GTP
UPnP
LLMNR
RemoteScan
Spotify
Messenger
H323
OpenVPN
NOE
CiscoVPN
TeamSpeak
Tor
CiscoSkinny
RTCP
RSYNC
Oracle
Corba
UbuntuONE
Whois-DAS
Collectd
SOCKS
Nintendo
RTMP
FTP_DATA
Wikipedia
ZeroMQ
Amazon
eBay
CNN
Megaco
Redis
Pando_Media_Booster
VHUA
Telegram
Vevo
Pandora
QUIC
WhatsAppVoice
EAQ
Ookla
AMQP
KakaoTalk
KakaoTalk_Voice
Twitch
WeChat
MPEG_TS
Snapchat
Sina(Weibo)
GoogleHangout
IFLIX
Github
BJNP
SMPP
DNScrypt
TINC
Deezer
Instagram
Microsoft
Starcraft
Teredo
HotspotShield
HEP
GoogleDrive
OCS
Office365
Cloudflare
MS_OneDrive
MQTT
RX
AppleStore
OpenDNS
Git
DRDA
PlayStore
SOMEIP
FIX
Playstation
Pastebin
LinkedIn
SoundCloud
CSGO
LISP
Diameter
ApplePush
GoogleServices
AmazonVideo
GoogleDocs
WhatsAppFiles
Which could I select? If I analyse the traffic from the targeted hosts, the most is TLS.
Shouldt block this rule youtube traffic?
If I try to use this role - all traffic passes the firewall, no restricted access.
