Firewall - time based access for host groups

Thank you for your hint - can you explain please how to implement such proxy rules (preferred via cockpit)?
I didn’t found tutorials here.
Danke Andy

Hi

I did that a few years back with SME Server, the predecessor to NethServer. The firewall was another dedicated firewall, at the time i think it was a sonicwall. The company was taken over a few years back, and folded shortly thereafter, after the new management decided to implement external servers, SAP and other oversized items…

Unfortunately, I lost my archives a while back, when lightning strunk my non UPS protected home and burned my NAS and the external Disk Backup thereof…

However, these might help you:

As far as I’m aware, this still needs manual templates of squid.conf (As in SME-Server years ago)
and needs thourough testing of the rules and their loading. The rules needed to be loaded in the right order, with the http_access deny all at the end of that config-file segment.

Customize the wpad to distribute the optimal proxy settings to your clients, test it, and then close your firewall and test again!

There are also a few good sites containing tips about what you can do with just wpad alone!

Your mileage may vary, but here it’s well worth it.
You can even customize the “Error message” displayed, like “According to contract, this web site “YYY” is only available from 19:00-07:00, all other access attempts will be reported to HR…”

Clients are Kings, and their wishes counts!

My 2 cents…
Andy

1 Like

Is there anyone else who can provide experience in configuring the proxy to allow and deny time-based access?

Andy’s experiences do not sound trivial.

Hi

It’s not that difficult, seeing the samples info (The two weblinks provided above).

Make a copy first of the existing /etc/e-smith/templates/etc/squid/squid.conf/ to
/etc/e-smith/templates-custom/etc//squid/squid.conf/. The folders at the target do not exist yet!

Use an independent PC, where you force the Proxy (Windows: See Internet Options, Connections, LAN…). The Proxy can be restarted independent of the server, so if you make a typo, you’re not blocking everyone off the internet until you get the rules right!

It’s also worthwhile making Squid ACL-Groups for “allowed” PC’s, and “all other PCs” to make later editing easier and more transparent.

BTW: What firewall are you using: The Nethserver?

Andy

I think that can be done easier (not tested):

Go to local rules and create a rule like this, only with the hosts-object you created and give it a time condition:


Place it before the existing squid rule.

4 Likes

Looks good, never tried to do it with Cockpit so far - Cockpit is installed so far on all servers, but sofar no need yet…

:slight_smile:

Thank you, I will try it.
But the source should be a host group, not all clients inside GREEN. I defined one and used she now.

Hi, Guys, I tested a lot of rules… Not a single rule blocks access to anything!

Finally, I have simplified my requirement and want to build up from a baseline:

Case 1:
Req: Block most internet traffic of a client related to loading non specific payload from websites, streaming servers …,
assumption: FW have to block https
Solution:

  1. Definition of a client object
  2. Definition of a rule (non-local)
  3. Result: all traffic passes the firewall, the role has no effect

Case 2:
Req: Block most internet traffic of a client related to loading non specific payload from websites, streaming servers …,
assumption: FW have to block squid

  1. Definition of a client object
  2. Definition of a rule (local)
  3. ** Result**: all traffic passes the firewall, the role has no effect

Case 3:
Req: Block most internet traffic of a client related to loading non-specific payload from websites, streaming servers …,
assumption: FW have to block httpd-service

  1. Definition of a client object
  2. Definition of a rule (local)
  3. ** Result**: all traffic passes the firewall, the role has no effect

I’m really at a loss right now. What is wrong?

my system architecture:

  • RED: 192.168.2.0/24

  • Router: 192.168.2.1

  • GREEN: 191.68.3.0/24

  • Nethserver-Gateway/Firewall: 192.168.3.1

  • DHCP/DNS-Server (Pihole): 192.168.3.5

  • all clients with IP-Reservation, no dedicated proxy settings

  • web proxy: transparent-SSL

May I ask again if anyone has an explanation why my firewall rules remain ineffective?

Simple and short: rules cannot match traffic. So they don’t work as you expect.
As usual: computers do what they are told to, not what you’re thinking or hoping…
Unless of bugs, of course…

What do you want to achive exactly?

I fyou want to block specific trafic / protocols, you can try to use ndpi.
Please have a look here:

https://docs.nethserver.org/en/latest/firewall.html#deep-packet-inspection-dpi

Ok, thank for this notice. How I should understand this? If I can select a specific service, the role should suppress traffic /connections related to the selected service. If not, what then is the deeper meaning behind such service-oriented roles? Is there somewhere I can read more about what to do and what not to do when the firewall is configured correctly (best practices)? The docs are not really helpful.

Finally, I would like to block internet use overnight for the children.
I wanted to approach the solution step by step and in the first step I wanted to prevent a client from using the internet (in my thinking traffic to RED or from RED???).
In a next step I would try to plan this time controlled. In a further step maybe more specific like “block everything but iTunes music”. So I wanted to get a solution step by step on the one hand and on the other hand I wanted to improve my understanding of the technique step by step.

you can try to use ndpi

Yes, I have installed nDPI. The docs says:

When the DPI module is active, new items for the Service field are available in the Edit rule form. Those items are labeled DPI protocol , among the usual network service and service object items.

But I don’t find any specific labeled services “DPI-Service” to address a rule.
In my understand should this rule…
image
…block all traffic based on https-protocol for the clients inside the host group “kind”.

If not, what then is the deeper meaning behind such service-oriented roles?

inside the NtopNG Documentation I found a list ob nDPI-Protocols:

Zusammenfassung

We are continuously extending nDPI and so far many protocols are supported including

    • FTP_CONTROL
    • POP3
    • SMTP
    • IMAP
    • DNS
    • IPP
    • HTTP
    • MDNS
    • NTP
    • NetBIOS
    • NFS
    • SSDP
    • BGP
    • SNMP
    • XDMCP
    • SMBv1
    • Syslog
    • DHCP
    • PostgreSQL
    • MySQL
    • Hotmail
    • Direct_Download_Link
    • POPS
    • AppleJuice
    • DirectConnect
    • ntop
    • COAP
    • VMware
    • SMTPS
    • FacebookZero
    • UBNTAC2
    • Kontiki
    • OpenFT
    • FastTrack
    • Gnutella
    • eDonkey
    • BitTorrent
    • SkypeCall
    • Signal
    • Memcached
    • SMBv23
    • Mining
    • NestLogSink
    • Modbus
    • Xbox
    • QQ
    • TikTok
    • RTSP
    • IMAPS
    • IceCast
    • PPLive
    • PPStream
    • Zattoo
    • ShoutCast
    • Sopcast
    • Tvants
    • TVUplayer
    • HTTP_Download
    • QQLive
    • Thunder
    • Soulseek
    • SSL_No_Cert
    • IRC
    • Ayiya
    • Unencrypted_Jabber
    • MSN
    • Oscar
    • Yahoo
    • BattleField
    • GooglePlus
    • VRRP
    • Steam
    • HalfLife2
    • WorldOfWarcraft
    • Telnet
    • STUN
    • IPsec
    • GRE
    • ICMP
    • IGMP
    • EGP
    • SCTP
    • OSPF
    • IP_in_IP
    • RTP
    • RDP
    • VNC
    • PcAnywhere
    • SSL
    • SSH
    • Usenet
    • MGCP
    • IAX
    • TFTP
    • AFP
    • Stealthnet
    • Aimini
    • SIP
    • TruPhone
    • ICMPV6
    • DHCPV6
    • Armagetron
    • Crossfire
    • Dofus
    • Fiesta
    • Florensia
    • Guildwars
    • HTTP_ActiveSync
    • Kerberos
    • LDAP
    • MapleStory
    • MsSQL-TDS
    • PPTP
    • Warcraft3
    • WorldOfKungFu
    • Slack
    • Facebook
    • Twitter
    • Dropbox
    • GMail
    • GoogleMaps
    • YouTube
    • Skype
    • Google
    • DCE_RPC
    • NetFlow
    • sFlow
    • HTTP_Connect
    • HTTP_Proxy
    • Citrix
    • NetFlix
    • LastFM
    • Waze
    • YouTubeUpload
    • GenericProtocol
    • CHECKMK
    • AJP
    • Apple
    • Webex
    • WhatsApp
    • AppleiCloud
    • Viber
    • AppleiTunes
    • Radius
    • WindowsUpdate
    • TeamViewer
    • Tuenti
    • LotusNotes
    • SAP
    • GTP
    • UPnP
    • LLMNR
    • RemoteScan
    • Spotify
    • Messenger
    • H323
    • OpenVPN
    • NOE
    • CiscoVPN
    • TeamSpeak
    • Tor
    • CiscoSkinny
    • RTCP
    • RSYNC
    • Oracle
    • Corba
    • UbuntuONE
    • Whois-DAS
    • Collectd
    • SOCKS
    • Nintendo
    • RTMP
    • FTP_DATA
    • Wikipedia
    • ZeroMQ
    • Amazon
    • eBay
    • CNN
    • Megaco
    • Redis
    • Pando_Media_Booster
    • VHUA
    • Telegram
    • Vevo
    • Pandora
    • QUIC
    • WhatsAppVoice
    • EAQ
    • Ookla
    • AMQP
    • KakaoTalk
    • KakaoTalk_Voice
    • Twitch
    • WeChat
    • MPEG_TS
    • Snapchat
    • Sina(Weibo)
    • GoogleHangout
    • IFLIX
    • Github
    • BJNP
    • SMPP
    • DNScrypt
    • TINC
    • Deezer
    • Instagram
    • Microsoft
    • Starcraft
    • Teredo
    • HotspotShield
    • HEP
    • GoogleDrive
    • OCS
    • Office365
    • Cloudflare
    • MS_OneDrive
    • MQTT
    • RX
    • AppleStore
    • OpenDNS
    • Git
    • DRDA
    • PlayStore
    • SOMEIP
    • FIX
    • Playstation
    • Pastebin
    • LinkedIn
    • SoundCloud
    • CSGO
    • LISP
    • Diameter
    • ApplePush
    • GoogleServices
    • AmazonVideo
    • GoogleDocs
    • WhatsAppFiles

Which could I select? If I analyse the traffic from the targeted hosts, the most is TLS.
Shouldt block this rule youtube traffic?
image

If I try to use this role - all traffic passes the firewall, no restricted access.

+1 for 5000-5500 possibility than 5000, 5001, … 5500.

I tried it for testing purposes:

  1. creating time role “ever” 00:00-23:59
  2. creating FW-Role for a dedicated client
    image

… Client still has full access to Youtube

ps.: an respected:

Firewall rules using DPI services are generated inside the mangle table, for this reason such rules have some limitations:

  • reject action is not supported, use drop to block traffic

Can you play the video? Here I have access to the page itself, but can’t play the video. Blackscreen with rotating white circle.

Try to block something else like facebook, so you can evaluate if blocking doesn’t work at all or only youtube isn’t blocked.

To block youtube seems to be tricky.

Yes I can.

I tried it with heise.de

  1. new custom category with one domain name: heise.de
  2. new profile: MacPro should be blocked
    image


    result: full access to heise.de

irritating context menue - probably a bug related to cockpit :


What: should be: heise-block
Category should be: heise

Thank you for your support.

Edit1: instead the access to my Router( RED/192.168.2.1) is now blocked: If I delete the heise-block Profile I have access again.

Context menu is irritating indeed. Why youtube?
What happens if you add heise.de to the global blacklist?

I don’t know. Probably a bug.

no success - have full access (Cache cleared before!)
I’m still installing a new Nethserver onto an other server…

Continued after reinstallation here:Experience with fresh Nethserver-Installation