Solved Block a computer form Internet access

mefizto

Well-Known Member

Thanks: 8
Messages: 395

#1
Greetings all,

I would like to prevent one computer (running Windows 7) to access Internet, but allow access to and from internal network. One manner that I coud think of is formulate rules based on the static ip of the computer, e.g.:
Code:
block in on <internal interface> from <static ip> to any
pass in on <internal interface> from <static ip> to <internal network>
pass out on <internal interface> from <static ip> to <internal network>
.

However, what about blocking a dynamically assigned address - is it possible?
Kindest regards,
M
 

ShelLuser

Son of Beastie

Thanks: 1,587
Messages: 3,443

#2
That's not the best set of rules, depending on your setup. After all: you want to block the Windows 7 machine from accessing the Internet, but what about your FreeBSD server itself? I could well imagine that it provides more functionality than just that of a gateway.

Another point of interest is the way you set up your firewall. Best practice is to block everything and then open up the stuff you'd like to be made accessible. Therefor this would be much more feasible I think:
Code:
Win7 = "192.168.0.7/32"
int_if = "em0"
ext_if = "em1"

set skip on lo0

# We trust the LAN, so we only fully block the outside
block on $ext_if

# Only block Win7 from accessing the Internet
block on $ext_if from $Win7 to any
Anyway, back to the question at hand: dynamic addresses. Which machine provides the DHCP service?

There are a few possibilities but it all depends on your setup. If there's only one Windows 7 machine on your network you could apply fingerprinting by checking for Windows Vista, see also operating system fingerprinting in pf.conf(5).

For example; the above blocking rule could be changed to: block on $ext_if from any os "Windows Vista" to any. Of course this would block all instances of Windows 7 (and Vista).

The other options depend on your environment. If your server also provides the DHCP service then you could consider using that to assign the host with a static address (based on its MAC address) and then block that static IP address in your firewall.
 
OP
OP
M

mefizto

Well-Known Member

Thanks: 8
Messages: 395

#3
Hi ShelLuser,

first, thank you for the reply.

I think that I made a mistake in my first rule, it should have read: block on <external interface> from <static ip> to any.

I perceive to run only a firewall, a VPN, and a DNS resolver on the Internet facing machine. All other machines will be on the LAN (<internal interface>), and as I understand the rules I proposed, the machines will be allowed to access Internet.

In that respect, could you explain your rule:
# We trust the LAN, so we only fully block the outside
block on $net_if
?
First I am not sure what the $net_if refers to; second, if this corresponds to the $int_if, how do the machines on the LAN access the Internet? Am I missing something?

This is only a snippet of rules, I do indeed block all the traffic as a default.

Kindest regards,

M
 

ShelLuser

Son of Beastie

Thanks: 1,587
Messages: 3,443

#4
In that respect, could you explain your rule:
# We trust the LAN, so we only fully block the outside
block on $net_if
?
First I am not sure what the $net_if refers to; second, if this corresponds to the $int_if, how do the machines on the LAN access the Internet? Am I missing something?
Well, for starters keep in mind that this is normally what the pf.conf(5) manualpage is for, also accessible on the commandline using man pf.conf. The reason I mention this is not to go 'RTFM' on you, but because I want to make sure that you're aware of this. Many other Unix-like operating systems don't have this kind of documentation.

Alas; $net_if is a dumb typo on my end which I now corrected. Sorry, that should have said $ext_if; the rule would fully block everything coming in from the external interface (aka the Internet). Now, you're probably aware but I'm still going to answer the next part: this rule won't interfere with machines which need to access the Internet due to statefull filtering; the firewall keeps track of incoming data which originated from within the network and will let that pass, despite the rule which blocks everything.

Of course there are more ways to achieve this.
 
OP
OP
M

mefizto

Well-Known Member

Thanks: 8
Messages: 395

#5
Hi ShelLuser,

thank you once again. No worries about the "RTFM", I actually refered to it, but I could not fine the question there.

O.K., I now understand the first block rule. However, I am not aware of the fact that:
this rule won't interfere with machines which need to access the Internet due to statefull filtering; the firewall keeps track of incoming data which originated from within the network and will let that pass, despite the rule which blocks everything.
Are you saying that I do not need to enable all outgoing packets from the $int_if e.g.: pass out on $ext_if from $int_if to any? The $Win7 packets will be blocked by the second block rule.

Kindest regards,

M
 

ShelLuser

Son of Beastie

Thanks: 1,587
Messages: 3,443

#6
Are you saying that I do not need to enable all outgoing packets from the $int_if e.g.: pass out on $ext_if from $int_if to any?
No, it depends on context. In the above situation you'd only need to add pass rules for outgoing data, because incoming (from the LAN anyway) isn't blocked.
 
Top