|
Post by bittwiddler on Sept 12, 2019 4:34:55 GMT
This is not standard usage for a firewall like Smallwall but I have a walk-up workstation which I need to restrict to one specific domain lest it get (further) abused.
I know the MAC id of the machine so I can configure DHCP to provide a consistent IP address. I also have the option of giving it a static IP address. However, I am not sure if it is possible to write a rule to restrict a that IP address to only one domain. I have seen this done with NAT rules on commercial (read expensive) applications but never with iptables or similar.
Thoughts?
|
|
|
Post by Lee Sharp on Sept 12, 2019 12:56:25 GMT
You will need translation... The firewall works on IP addresses and not domains, and the "nextgen" firewalls just do a lot of lookups. A better way to filter this is a webfilter or DNS filter. And block external DNS access to this device.
|
|
|
Post by bittwiddler on Sept 12, 2019 15:59:48 GMT
The firewall works on IP addresses and not domains, and the "nextgen" firewalls just do a lot of lookups. Yes, hence my question. I can use the static IP address of the domain and it's edge points in firewall rules. I am just not sure how to write a rule for one specific workstation. I've looked at webfilters and DNS filters but they seem overkill for my problem. Those tend to allow access to many IP addresses and filter out a subset. I am running a RADIUS server on a Beaglebone now so I could, in theory, run a filter on that same node. I'd like to keep this as simple as possible though. These things can take on a life of their own ;-)
|
|
|
Post by bittwiddler on Sept 13, 2019 3:33:22 GMT
Just in case anyone is interested. My current approach is dnsmasq running on the network with SmallWall pointing to it as the DNS Server for the network/interface. I am configuring dnsmasq to only forward domains which are listed in my whitelist file to my canonical DNS server. If it works as well as preliminary testing shows I will write it up and post it here. Also, I just completed installing a RADIUS server on BeagleBone which I will write up and post as well.
|
|
|
Post by Lee Sharp on Sept 13, 2019 4:31:13 GMT
Yes, hence my question. I can use the static IP address of the domain and it's edge points in firewall rules. I am just not sure how to write a rule for one specific workstation. That is easier... You start with the allow rule. Source IP is your workstation, source port is any. Destination is the IP and port you need it to reach. Then you make a block rule following with source IP being the workstation, and everything else any. It will hit your pass rule and escape, or go on to the block rule and fail.
|
|
|
Post by bittwiddler on Sept 19, 2019 4:06:32 GMT
Thank you Lee!
|
|