Block access to a URL, except for 1 internal IP

Hi,

I’m trying to set up a firewall for a local nursery. Because they have PCs for the kids as well as the staff they need to block certain URLs. However they only want to block them for most of the PCs, and the one that the staff uses they still need to be able to access those URLs (hope that makes sense so far). So URL of x.y.com/z needs to be blocked for the kids PCs, but not the staff PC.
I’ve set up the firewall to block the URL with a rule of
Block, IP, In/Out, Dest: hostname
which blocks the URL as expected. And in the logs I can see the individual internal IPs (on 192 network) being logged as blocked.
But when I put another rule in to specifically allow access to the same hostname for 1 specific internal IP, that IP is still blocked, but the log show that the it’s being blocked by the request coming in from the ADSL external IP, not the internal 192 address.
Does anyone know why the request is apparently coming from the ISP’s IP and not the internal network?
If I remove the allow rule (which isn’t working anyway) the blocked request comes from the internal IP again.

Help much appreciated.

Andy.

Would you mind providing a little more detail. It sounds like you have a network and you’re configuring CIS on just one PC, through which all Internet traffic is routed?

It would also help if we could see what rules you’re trying to create and also the log entries.

Hi,

Thanks for replying. Yep, it’s a 192.168.0.0/255.255.255.0 network.
I’ve got a windows XP machine with a PCI ADSL card that talks to the ISP, and a NIC as 192.168.0.1 that acts as the router for the rest of the network.
The rules I’ve currently got set up are :

Action: Allow
Protocol: UDP
Direction: In/Out
Src Address: Any
Dest Address: IP/255.255.255.255
Src Port: 67-68
Dest Port: 67-68

Action: Allow
Protocol: IP
Direction: In/Out
Src Address: Network Zone - LAN #1 (192.168.0.1-192.168.0.254)
Dest Address: Network Zone - LAN #1 (192.168.0.1-192.168.0.254)
IP Details: Any

Action: Any
Protocol: IP
Direction: In/Out
Src Address: 192.168.0.217
Dest Address: Host: liquidlogic.co.uk
IP Details: Any

Action: Block
Protocol: IP
Direction: In/Out
Src Address: Any
Dest Address: Host: liquidlogic.co.uk
IP Details: Any

Action: Allow
Protocol: TCP or UDP
Direction: In/Out
Src Address: Network zone - LAN #1
Dest Address: Any
Src Port: Any
Dest Port: Any

Action: Allow
Protocol: ICMP
Direction: Out
Src Address: Network zone - LAN #1
Dest Address: Any
ICMP Details: Any

Action: Allow
Protocol: IP
Direction: Out
Src Address: Network zone - LAN #1
Dest Address: Any
IP Details: Any

Action: Block
Protocol: IP
Direction: In
Src Address: Any
Dest Address: Any
IP Details: Any

in that order.

Log entries are :

With rule 3 in place the log entry is this:

Windows Operating System Blocked Out TCP 91.85.214.245 1103 212.15.88.110 80

Without rule 3 in place the log entry is:

Windows Operating System Blocked In TCP 192.168.0.217 49635 212.15.88.110 80

Cheers,
Andy.

What you’re seeing does make some sense. Basically, when you use ICS you’re using surrogate processes to handle the traffic. So, when a LAN client requests a resource, the ICS box passes that request off to a process that can complete the request, in this case it’s a pseudo process (In CIS) called Windows Operating System. Because this is actually running on the ICS PC, it will have the address of that PC.

The first thing I’d do is change the rules from IP IN/OUT to TCP OUT as that’s all you should need to access a web site.

The second thing is to try is creating a rule that uses a Network Zone, which includes the IP Address of the PC that needs access and also the IP Address of the ICS PC, then use that as the source address in the rule to allow.

Following that, you will probably need to get a little creative, perhaps a block rule that uses a ‘Not In’ option and use the Network Zone again in the source designation.

The only thing you’ll have to check, is what access the ‘normal’ PCs have following the creation of such rules.

Try that approach and if it’s no good I’ll try and recreate the situation here.

Hi,

Many thanks again for the suggestions.

I’ve tried out as many combinations of rules, block and allow, and putting the PC that needs the access into it’s own network (including removing it from the LAN #1 config), but none of the combinations make any difference, it’s either all allow (which shows in the logs as the internal 192 network IPs), or all deny (which all show in the logs as the ADSL IP). And that’s the part I can’t get my head around, why do the blocked log entries show the ADSL IP rather than the LAN IP?

Cheers,
Andy.

Sorry, I though I explained that in my previous post…

I've tried out as many combinations of rules, block and allow, and putting the PC that needs the access into it's own network (including removing it from the LAN #1 config), but none of the combinations make any difference, it's either all allow (which shows in the logs as the internal 192 network IPs), or all deny (which all show in the logs as the ADSL IP). Cheers, Andy.
Did you try my suggestion of using a Network zone?

Sorry, I took your explanation to mean that it would take the IP of the LAN.

Yes I tried various Network zone configs, including them, excluding them.

Thanks.

I tried the configuration I suggested above and as far as I was able to test things, it seemed to work. By that I mean, the PC defined in the allow rule was able to connect, whilst another PC was blocked.

Hi Radaghast,

Thanks again. And this time it’s worked. I’m not sure how I managed to mess it up for the last few days, but I’ve started pretty much from scratch, created 2 network zones, 1 with just the ip on the client that needs access, and the other zone with all of 192.168.* except for that same client, and set up an allow rule for the 1 client, and block for the rest, and it’s all working now.

Many thanks for your help and guidance, it’s been very much appreciated.

Cheers,
Andy.