batsona
Maryland
join:2004-04-17
Ellicott City, MD
 ·Verizon FIOS
 ·Vonage
|  [northeast] How to block outbound traffic...
**rant-on**
OK, I want to throw the actiontec into the driveway and run over it. I need money for a good Cisco ASA, or a Juniper SSG5... At least I'd know how to run those
**rant-off*
Ok, that's out of my system. Now, I need to block access to a certain website that my daughter's spending too much time on. I've tried creating rules in every one of the 'sections' for the outbound traffic on the actiontec, but I can still browse to the sites with the greatest of ease. (see attachment). Can someone show me what I'm doing wrong? I'm using the syntax of an existing inbound rule that does work. There's got to be a fundimental that I'm not getting here. (Just like the implicit-accept at the end of the rules, instead of the implicit-deny)
I already know I've got the right IPs for the website... |
|
redmond
join:2001-04-24
Wayne, PA | I use opendns to do that..... |
|
jefe
Premium
join:2001-05-19
Northport, NY | reply to batsona
Have you tried the Parental Control feature? It seems like that will do exactly what you're trying to do. |
|
birdfeedr
Premium,MVM
join:2001-08-11
Warwick, RI
·Verizon FIOS
| reply to batsona
Advanced Filter Rule |
I created it by going to Firewall Settings, Advanced Filtering, Add to Broadband Connection (Ethernet) Rules, Source Address Any, Destination Specify, Add Network Object, Specify Hostname: dslreports.com, Apply, Protocol Any, Drop, Always, Apply, Apply. You know you got it right when you get back to the nag screen to enter Firewall Settings.
If you can handle a Cisco, you can follow these keywords. Unless you want a step-by-step with screenshots. 
Not sure if Parental Controls does the same thing. The more you add to the rule, the more complex (and performance draining). It's possible to add a schedule.
And I don't even remember why I set Rule #0.
In this process, the hostname specification ends up resolving to an IP address. You'll have more problems if the destination you're blocking is dynamic. |
|
batsona
Maryland
join:2004-04-17
Ellicott City, MD
·Verizon FIOS
·Vonage
| OK - fixed it. However, I'm convinced that the people who develop firmware for the Actiontec have never seen, nor played with a router, nor are they familiar with basic concepts...
I put my rule in the Ethernet Section of the "Input" rule. The explaination says, this is where you block traffic inbound from the Internet... This is apparently not true. The "input" section means traffic inbound on ANY interface (including the internal ethernet)
If you pay attention to the little explinations, you'll never get it right: "inbound" (from the Internet) means inbound on ANY interface, and "Outbound" (to internet) means outbound on ANY interface. Anyway, attached is my rulebase. Maybe this is a problem in revision E? |
|
birdfeedr
Premium,MVM
join:2001-08-11
Warwick, RI
·Verizon FIOS
1 edit | said by batsona  :I put my rule in the Ethernet Section of the "Input" rule. The explaination says, this is where you block traffic inbound from the Internet... This is apparently not true. The "input" section means traffic inbound on ANY interface (including the internal ethernet) If you pay attention to the little explinations, you'll never get it right: "inbound" (from the Internet) means inbound on ANY interface, and "Outbound" (to internet) means outbound on ANY interface. Anyway, attached is my rulebase. Maybe this is a problem in revision E? Inbound filter seems applicable to ban unsolicited traffic from a particular address. Say you have a server listening and wanted to ban a particular address. That's inbound. However, traffic coming in as a result of something originated going out may have a higher/different priority so the inbound filter doesn't apply.
Outbound filter definitely works. When I banned traffic out to dslreports, nothing got out that dslreports could reply to. The hourglass was spinning forever, at least until I disabled the rule.
If you're trying to stop website access, apply an outbound filter.
[edit to add] Looking at your Ethernet filter rules, looks like you want to block access to Disney, among others. You can create the same rules in outbound WAN PPPoE, for all, some, or one PC on the LAN. Outbound is where I'd put them.
You're not the first to say Actiontec GUI is counterintuitive. |
|
batsona
Maryland
join:2004-04-17
Ellicott City, MD
·Verizon FIOS
·Vonage
| You're correct: [outbound] PPP, or [inbound] ethernet were the two places where my rule actually worked. The way logic works [at least on Cisco devices], you always block traffic *inbound* thru an interface, not outbound thru it. That's why it seems counterintuitive...
Anyway, now that I see how this works, we can call this solved, but I'm still gritting my teeth  |
|
jefe
Premium
join:2001-05-19
Northport, NY | I still think Parental Controls would've done what you needed, and without and greeting of teeth.  |
|
birdfeedr
Premium,MVM
join:2001-08-11
Warwick, RI
·Verizon FIOS
| Parental Control is the only feature that says there may be a slight performance hit when you create the rule. It's more complex because of a schedule, and keyword filtering.
A simpler addressed-based filter, once working, may be worth the aggravation of gritted teeth. |
|
