[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Blocking Internet Access for specific IPs

To: 'Michael Sleeper' <Sleeper@co.richmond.ga.us>, "Firewall-1 Mailing List (E-mail)" <fw-1-mailinglist@lists.us.checkpoint.com>
Subject: RE: [FW1] Blocking Internet Access for specific IPs
From: Netadmin <snfettig.netadmin@hillsdale.edu>
Date: Wed, 1 Sep 1999 20:49:58 -0400

    [ The following text is in the "windows-1252" character set. ]
    [ Your display is set for the "US-ASCII" character set. Some ]
    [ characters may be displayed incorrectly. ]


     Thanks for all your help, but I am in more of a bind than just trying
to restrict access to the internet for a given number of IP addresses.  
- I don't know if the firewall is properly executing the rules.  I want to
restrict x.x.3.1 thru x.x.3.7 from having any access outside the firewall.
Those IP addresses should only be allowed to "rome" within the network.  
- The added complexity to this problem is that the "network" - i.e. intranet
- is comprised of four class C subnets - i.e. x.x.1.x, x.x.2.x, x.x.3.x, and
x.x.4.x where the 8 IP's that I want to restrict are part of the third
subnet.  
- I don't, however, know how to create a rule that lists the network
(internet) outside of the intranet as a non-allowed service.  (From what I
understand about the firewall is that any request originating from within
the intranet is going to be an allowed transaction.  It is only the "people"
that are trying to get in from the outside that need to conform to a rule or
port opening that was setup.)  
- If it is as straight forward as creating a rule that says <From (x.x.3.1)>
-> <to Any> -> <reject> then my firewall is not working properly.  I added
such a rule and it is not blocking traffic for those IP's requesting data
from the internet.

SNF

p.s. I must excuse my ignorance, but the guy who sold my institution the
firewall is no longer at the vendor and the new guy doesn't have a clue.  He
simply regurgitated the sales pitch from Checkpoint's website when I had
questions...  


-----Original Message-----
From: Michael Sleeper [mailto:Sleeper@co.richmond.ga.us]
Sent: Wednesday, September 01, 1999 2:03 PM
To: 'Netadmin'; Firewall-1 Mailing List (E-mail)
Subject: RE: [FW1] Blocking Internet Access for specific IPs



Are there only a few that you want to restrict?  Or are there only a few
you want to give outside access to?

You might try creating a network object entailing your 'Local_Network'.
I would then suggest creating a 'Priviledged' group of network objects
entailing those IP's that are allowed to go outside your
'Local_Network'.

You may also wish to consider what 'Allowed_Services' (HTTP, FTP, IRC,
etc..) you want to allow your privilidged group to use.

Two rules to accomplish your objective might be done as follows:

Rule	Source	->Dest.		->Services			->Action


a)	Priviledged	->Any			->'Allowed_Services'
->allowed	

b)	Any		->NOT('Local_Network')->Any
->Reject


This would prevent the non-priviledged users from doing any
'Allowed_services' outside your network.


-----Original Message-----
From: Netadmin [mailto:snfettig.netadmin@hillsdale.edu]
Sent: Wednesday, September 01, 1999 9:21 AM
To: Firewall-1 Mailing List (E-mail)
Subject: [FW1] Blocking Internet Access for specific IPs



     I am definitely new to the Firewall game and am realizing this as
the
days go by.  I want to configure the firewall to block all Internet
access
for specific IPs within my domain.  For example, IP x.x.x.22 should be
allowed to converse/work within our four class C domains but not go out
to
the internet (or outside of the firewall) for anything.  I.E. all
traffic
from these specific IPs to outside the intranet should be blocked.  How
would I create a specific rule for that in FW-1 ver. 3.0a?
     Any help would be much appreciated.

SNF


========================================================================
========
     To unsubscribe from this mailing list, please see the instructions
at
               http://www.checkpoint.com/services/mailing.html
========================================================================
========


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] Firewall-1 and MS Proxy Configuration
Next by Date: RE: [FW1] Firewall-1 and MS Proxy Configuration
Prev by thread: RE: [FW1] Blocking Internet Access for specific IPs
Next by thread: RE: [FW1] Blocking Internet Access for specific IPs
Index(es):
- Date
- Thread