D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: djm on September 30, 2010, 04:30:46 AM

Title: How can I block web access but without blocking Microsoft updates?
Post by: djm on September 30, 2010, 04:30:46 AM

Hi, I put in a rule to block http-outbound

Quote

httpdeny drop lan lannet wan wannet http-outbound

It works but it has the side effect of also blocking microsoft update traffic.

Does anyone know a way that doesn't?

Ideally when a user tried browsing a web page they would get an authorization pop-up and if they enter a valid username/password then they get to browse, otherwise they don't.  Updates should be allowed through without requiring any auth.

Any help would be greatly appreciated.

Title: Re: Block web access but without blocking Microsoft updates
Post by: silver_surfer30 on October 10, 2010, 07:53:48 PM

The other way is to make a nat rule in the http_outbound service and to create a white list to allow microsoft update on the url filter tab and then to create a blacklist to deny any other web acces.

Title: Re: Block web access but without blocking Microsoft updates
Post by: djm on October 17, 2010, 03:25:51 AM

Hi, thanks for the response.  I'm not sure how to do what you suggest.

Do you mean a NAT rule in addition to the rule I already have or instead of it?

What would the settings of the rule be and how do I create a whitelist for it?

Thanks,

David. ???

Title: Re: How can I block web access but without blocking Microsoft updates?
Post by: silver_surfer30 on October 18, 2010, 01:08:25 AM

you need to create an http outbound ALG and in the url filter tab add a white liste and the microsoft url in there.
Then add a blacklist with the following *.*/*.
The create an http service and in the alg part select the one you created in the alg menu.

Then create a ip rule using this service.

do not forget the dns service rule and that should solve the issue.

Title: Re: How can I block web access but without blocking Microsoft updates?
Post by: djm on October 27, 2010, 07:30:57 PM

I tried it - no luck.  I must be missing something.  All computers can access all web pages with the following setup.

ALG->http-outbound:

Code: [Select]

Blacklist *.*/*
 Whitelist *.update.microsoft.com/*
 Whitelist *.windowsupdate.com/*
Services:

Code: [Select]

http-outbound TCP 80 http-outbound HTTP via HTTP ALG "http-outbound" - strips all active content
IP rule:

Code: [Select]

allow_someHTTP NAT lan lannet wan all-nets http-outbound
I'm guessing that the IP rule should have some other action or something.

Title: Re: How can I block web access but without blocking Microsoft updates?
Post by: djm on October 27, 2010, 10:03:11 PM

As an alternative, I disabled all these settings and implemented "8.2.7. HTTP Authentication" of "NetDefendOS_2.26_Firewall_UserManual_v1.10.pdf" which I just downloaded.

I now get asked for a username and password, but once entered get told:

Logged on
You, or someone else from your IP address,
have been granted access.

Click here to log out.

It never moves on to the web page I was trying to access.

Were I to get this working, will it cause grief with windows updates, and if so is it possible to tweak it so that it doesn't?

The settings I added were:
(My LAN is 192.168.54.*)

AddressBook:

Code: [Select]

HTTPAllowed 192.168.54.0/24 WebUsers
I added Rules->IP rules:

Code: [Select]

9 allow_httpProxy Allow lan lannet core lan_ip http-all
10 allow_httpProxy Allow lan lannet core lan_ip http-all
11 allow_httpProxy NAT lan HTTPAllowed wan all-nets http-all
12 allow_httpProxy NAT lan lannet wan all-nets dns-all
13 allow_httpProxy SAT lan lannet wan all-nets http-all
14 allow_httpProxy Allow lan lannet wan all-nets http-all
15 http2fw Allow lan lannet core lan_ip http
Existing rules higher than these were (just in case any of these are causing grief):

Code: [Select]

1 OpenVPN_LAN
  1 OpenVPN_allow FwdFast lan all-nets lan all-nets all_services
  2-5 disabled
  6 OpenVPN_allow Allow any lannet any OpenVPNNet all_services
  7 OpenVPN_allow Allow any OpenVPNNet any lannet all_services
2 OpenVPN_SAT SAT any all-nets core wan_ip OpenVPN
3 OpenVPN_NAT NAT any all-nets core wan_ip OpenVPN
4 SAT_DNS_Relay SAT lan lannet core lan_ip dns-all
5 Allow_DNS_Relay NAT lan lannet core lan_ip dns-all
6 OpenVPN_allow Allow any all-nets core wan_ip OpenVPN
7 SMTP_allow Allow any all-nets lan lannet smtp
8-12 disabled
13 lan_to_wan
  1-3 disabled
  4 drop_smb-all Drop lan lannet wan all-nets smb-all
  5 allow_ping-outbound NAT lan lannet wan all-nets ping-outbound
  6 allow_ftp-passthrough NAT lan lannet wan all-nets ftp-passthrough
  7-8 disabled
  new rules - see above
  16 allow_httpProxy NAT lan lannet any all-nets http

Local User Database:

Code: [Select]

WebUsers
And in WebUsers I added a username and password (no group - do I need to specify a group?).

Title: Re: How can I block web access but without blocking Microsoft updates?
Post by: djm on October 30, 2010, 04:02:16 PM

I managed to get a straight block working - i.e. users are unable to access any pages except those on the ALG whitelist, the blacklist contains *.*/*.

Is it possible to combine this with password authentication - so that the whitelist sites are available to everyone, but other sites only available to authenticated users?

Title: Re: How can I block web access but without blocking Microsoft updates?
Post by: djm on November 21, 2010, 03:43:59 AM

Is it possible to combine ALG whitelist/blacklist with user authorization?