Firewall - time based access for host groups

NethServer Version: 7.7.1908
Module: Firewall, Web-Proxy&Filer, IPS, NtopNG

I want to restrict internet access inside a time frame from 19:30-7:00

Following this hints…


… was not succesfull

What I did with the old Admin-GUI (because inside cockpit it’s not possible to select “all services”):

  1. Created a host group with clients
  2. Created three time frames
  3. created Firewall rules
    3.1. first Rule on top
  • Allow host group
  • Source: host group
  • Destination: red
  • service: all
  • time frame 7:00-19:29

3.2. second rule below

  • block host group
  • Source: host group
  • Destination: red
  • service: all
  • time frame 00:00-07:29

3.3. third rule below:

  • block host group
  • Source: host group
  • Destination: red
  • service: all
  • time frame 19:30-23:59

Summary: The clients inside the host group don’t have any restrictions and have full access all over the time

What have I done wrong? What should I do?
Sincerly, Marko

I think the first rule is obsolete. It’s not needed and to give a host group ANY to RED is a securitiy risk, IMO. Everything which should be allowed is allowed already out of the box, if no further rule is written.
And IIUC the first rule allows the traffic and no further rule will take action. AFAIK the firewall checks all rules until a rule matches, so if the first rule alows traffic all time it is allowed all time.
So better is to only block at certain times and never use ANY to RED.

In the second rule I see the time 00:00-07:29 and in the first rule is 07:00-19:29. This time conditions are overlapping. I think it should be 00:00-06:59 or if you delete the first rule 00:00-07:00.

yes, but it was only a documentation error here. The time frames on the firewall are correct.
I deleted the first rule and nothing changes, the clients are not blocked.

host group ANY to RED is a securitiy risk

This an imported hint. Thank you. Is it possible to bundle some protocol/ports (e.g. http+https) in one rule, or do I have to create a single role for each protocol/port?

It is possible to bundle ports. Create a service xy and give the ports you want to block or allow 1,3,5,17,… or 5000:5500 (not sure if it’s “:” or “-”).
Example:
grafik
Then use this service-object to create a rule.

If you only want to block internetaccess it should work to block squid in a time condition, but I never tried this myself.

2 Likes

@capote, @flatspin

Hi

I can confirm that using squid proxy as a security measure works VERY well with time based schedules. I have clients that required No Client acces to internet (mail etc), only via controlled proxy. Lunch break and night shift were allow access to eg. Facebook, Tinder, Newspapers and such, only few groups like management and marketing were allowed more access liberties…

Firewall only allows servers (web, mail etc.) access AND the Proxy Server.
The Proxy decides which client can connect to what and when…

It’s also much more secure for any network!

My 2 cents
Andy

2 Likes

Thank you for your hint - can you explain please how to implement such proxy rules (preferred via cockpit)?
I didn’t found tutorials here.
Danke Andy

Hi

I did that a few years back with SME Server, the predecessor to NethServer. The firewall was another dedicated firewall, at the time i think it was a sonicwall. The company was taken over a few years back, and folded shortly thereafter, after the new management decided to implement external servers, SAP and other oversized items…

Unfortunately, I lost my archives a while back, when lightning strunk my non UPS protected home and burned my NAS and the external Disk Backup thereof…

However, these might help you:

As far as I’m aware, this still needs manual templates of squid.conf (As in SME-Server years ago)
and needs thourough testing of the rules and their loading. The rules needed to be loaded in the right order, with the http_access deny all at the end of that config-file segment.

Customize the wpad to distribute the optimal proxy settings to your clients, test it, and then close your firewall and test again!

There are also a few good sites containing tips about what you can do with just wpad alone!

Your mileage may vary, but here it’s well worth it.
You can even customize the “Error message” displayed, like “According to contract, this web site “YYY” is only available from 19:00-07:00, all other access attempts will be reported to HR…”

Clients are Kings, and their wishes counts!

My 2 cents…
Andy

1 Like

Is there anyone else who can provide experience in configuring the proxy to allow and deny time-based access?

Andy’s experiences do not sound trivial.

Hi

It’s not that difficult, seeing the samples info (The two weblinks provided above).

Make a copy first of the existing /etc/e-smith/templates/etc/squid/squid.conf/ to
/etc/e-smith/templates-custom/etc//squid/squid.conf/. The folders at the target do not exist yet!

Use an independent PC, where you force the Proxy (Windows: See Internet Options, Connections, LAN…). The Proxy can be restarted independent of the server, so if you make a typo, you’re not blocking everyone off the internet until you get the rules right!

It’s also worthwhile making Squid ACL-Groups for “allowed” PC’s, and “all other PCs” to make later editing easier and more transparent.

BTW: What firewall are you using: The Nethserver?

Andy

I think that can be done easier (not tested):

Go to local rules and create a rule like this, only with the hosts-object you created and give it a time condition:


Place it before the existing squid rule.

4 Likes

Looks good, never tried to do it with Cockpit so far - Cockpit is installed so far on all servers, but sofar no need yet…

:slight_smile:

Thank you, I will try it.
But the source should be a host group, not all clients inside GREEN. I defined one and used she now.

Hi, Guys, I tested a lot of rules… Not a single rule blocks access to anything!

Finally, I have simplified my requirement and want to build up from a baseline:

Case 1:
Req: Block most internet traffic of a client related to loading non specific payload from websites, streaming servers …,
assumption: FW have to block https
Solution:

  1. Definition of a client object
  2. Definition of a rule (non-local)
  3. Result: all traffic passes the firewall, the role has no effect

Case 2:
Req: Block most internet traffic of a client related to loading non specific payload from websites, streaming servers …,
assumption: FW have to block squid

  1. Definition of a client object
  2. Definition of a rule (local)
  3. ** Result**: all traffic passes the firewall, the role has no effect

Case 3:
Req: Block most internet traffic of a client related to loading non-specific payload from websites, streaming servers …,
assumption: FW have to block httpd-service

  1. Definition of a client object
  2. Definition of a rule (local)
  3. ** Result**: all traffic passes the firewall, the role has no effect

I’m really at a loss right now. What is wrong?

my system architecture:

  • RED: 192.168.2.0/24

  • Router: 192.168.2.1

  • GREEN: 191.68.3.0/24

  • Nethserver-Gateway/Firewall: 192.168.3.1

  • DHCP/DNS-Server (Pihole): 192.168.3.5

  • all clients with IP-Reservation, no dedicated proxy settings

  • web proxy: transparent-SSL

May I ask again if anyone has an explanation why my firewall rules remain ineffective?

Simple and short: rules cannot match traffic. So they don’t work as you expect.
As usual: computers do what they are told to, not what you’re thinking or hoping…
Unless of bugs, of course…

What do you want to achive exactly?

I fyou want to block specific trafic / protocols, you can try to use ndpi.
Please have a look here:

https://docs.nethserver.org/en/latest/firewall.html#deep-packet-inspection-dpi

Ok, thank for this notice. How I should understand this? If I can select a specific service, the role should suppress traffic /connections related to the selected service. If not, what then is the deeper meaning behind such service-oriented roles? Is there somewhere I can read more about what to do and what not to do when the firewall is configured correctly (best practices)? The docs are not really helpful.

Finally, I would like to block internet use overnight for the children.
I wanted to approach the solution step by step and in the first step I wanted to prevent a client from using the internet (in my thinking traffic to RED or from RED???).
In a next step I would try to plan this time controlled. In a further step maybe more specific like “block everything but iTunes music”. So I wanted to get a solution step by step on the one hand and on the other hand I wanted to improve my understanding of the technique step by step.

you can try to use ndpi

Yes, I have installed nDPI. The docs says:

When the DPI module is active, new items for the Service field are available in the Edit rule form. Those items are labeled DPI protocol , among the usual network service and service object items.

But I don’t find any specific labeled services “DPI-Service” to address a rule.
In my understand should this rule…
image
…block all traffic based on https-protocol for the clients inside the host group “kind”.

If not, what then is the deeper meaning behind such service-oriented roles?

inside the NtopNG Documentation I found a list ob nDPI-Protocols:

Zusammenfassung

We are continuously extending nDPI and so far many protocols are supported including

    • FTP_CONTROL
    • POP3
    • SMTP
    • IMAP
    • DNS
    • IPP
    • HTTP
    • MDNS
    • NTP
    • NetBIOS
    • NFS
    • SSDP
    • BGP
    • SNMP
    • XDMCP
    • SMBv1
    • Syslog
    • DHCP
    • PostgreSQL
    • MySQL
    • Hotmail
    • Direct_Download_Link
    • POPS
    • AppleJuice
    • DirectConnect
    • ntop
    • COAP
    • VMware
    • SMTPS
    • FacebookZero
    • UBNTAC2
    • Kontiki
    • OpenFT
    • FastTrack
    • Gnutella
    • eDonkey
    • BitTorrent
    • SkypeCall
    • Signal
    • Memcached
    • SMBv23
    • Mining
    • NestLogSink
    • Modbus
    • Xbox
    • QQ
    • TikTok
    • RTSP
    • IMAPS
    • IceCast
    • PPLive
    • PPStream
    • Zattoo
    • ShoutCast
    • Sopcast
    • Tvants
    • TVUplayer
    • HTTP_Download
    • QQLive
    • Thunder
    • Soulseek
    • SSL_No_Cert
    • IRC
    • Ayiya
    • Unencrypted_Jabber
    • MSN
    • Oscar
    • Yahoo
    • BattleField
    • GooglePlus
    • VRRP
    • Steam
    • HalfLife2
    • WorldOfWarcraft
    • Telnet
    • STUN
    • IPsec
    • GRE
    • ICMP
    • IGMP
    • EGP
    • SCTP
    • OSPF
    • IP_in_IP
    • RTP
    • RDP
    • VNC
    • PcAnywhere
    • SSL
    • SSH
    • Usenet
    • MGCP
    • IAX
    • TFTP
    • AFP
    • Stealthnet
    • Aimini
    • SIP
    • TruPhone
    • ICMPV6
    • DHCPV6
    • Armagetron
    • Crossfire
    • Dofus
    • Fiesta
    • Florensia
    • Guildwars
    • HTTP_ActiveSync
    • Kerberos
    • LDAP
    • MapleStory
    • MsSQL-TDS
    • PPTP
    • Warcraft3
    • WorldOfKungFu
    • Slack
    • Facebook
    • Twitter
    • Dropbox
    • GMail
    • GoogleMaps
    • YouTube
    • Skype
    • Google
    • DCE_RPC
    • NetFlow
    • sFlow
    • HTTP_Connect
    • HTTP_Proxy
    • Citrix
    • NetFlix
    • LastFM
    • Waze
    • YouTubeUpload
    • GenericProtocol
    • CHECKMK
    • AJP
    • Apple
    • Webex
    • WhatsApp
    • AppleiCloud
    • Viber
    • AppleiTunes
    • Radius
    • WindowsUpdate
    • TeamViewer
    • Tuenti
    • LotusNotes
    • SAP
    • GTP
    • UPnP
    • LLMNR
    • RemoteScan
    • Spotify
    • Messenger
    • H323
    • OpenVPN
    • NOE
    • CiscoVPN
    • TeamSpeak
    • Tor
    • CiscoSkinny
    • RTCP
    • RSYNC
    • Oracle
    • Corba
    • UbuntuONE
    • Whois-DAS
    • Collectd
    • SOCKS
    • Nintendo
    • RTMP
    • FTP_DATA
    • Wikipedia
    • ZeroMQ
    • Amazon
    • eBay
    • CNN
    • Megaco
    • Redis
    • Pando_Media_Booster
    • VHUA
    • Telegram
    • Vevo
    • Pandora
    • QUIC
    • WhatsAppVoice
    • EAQ
    • Ookla
    • AMQP
    • KakaoTalk
    • KakaoTalk_Voice
    • Twitch
    • WeChat
    • MPEG_TS
    • Snapchat
    • Sina(Weibo)
    • GoogleHangout
    • IFLIX
    • Github
    • BJNP
    • SMPP
    • DNScrypt
    • TINC
    • Deezer
    • Instagram
    • Microsoft
    • Starcraft
    • Teredo
    • HotspotShield
    • HEP
    • GoogleDrive
    • OCS
    • Office365
    • Cloudflare
    • MS_OneDrive
    • MQTT
    • RX
    • AppleStore
    • OpenDNS
    • Git
    • DRDA
    • PlayStore
    • SOMEIP
    • FIX
    • Playstation
    • Pastebin
    • LinkedIn
    • SoundCloud
    • CSGO
    • LISP
    • Diameter
    • ApplePush
    • GoogleServices
    • AmazonVideo
    • GoogleDocs
    • WhatsAppFiles

Which could I select? If I analyse the traffic from the targeted hosts, the most is TLS.
Shouldt block this rule youtube traffic?
image

If I try to use this role - all traffic passes the firewall, no restricted access.

+1 for 5000-5500 possibility than 5000, 5001, … 5500.

I tried it for testing purposes:

  1. creating time role “ever” 00:00-23:59
  2. creating FW-Role for a dedicated client
    image

… Client still has full access to Youtube

ps.: an respected:

Firewall rules using DPI services are generated inside the mangle table, for this reason such rules have some limitations:

  • reject action is not supported, use drop to block traffic