dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
620
share rss forum feed

tolive

join:2006-10-17
Silver Spring, MD

USG50 Firewall Setting Question

I set up the above firewall rule trying to block internet access from all my home PCs during a defined schedule, while it does block most internet access, I found that the firewall rule doesn't block certain type of instant messenger (specifically, the "QQ" which is the most popular instant messenger in China), what's wrong with my rule settings?


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

well I would kinda reverse your rule.
I would state it as LAN to WAN block.
If there was a particular PC by IP that you wanted to keep access just put an allow rule for that IP before the deny rule.

I am not sure what happens in the case someone has a session ongoing through the time period however (when it goes from allowed to blocked).
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


tolive

join:2006-10-17
Silver Spring, MD

Thanks!
For this specific rule, is there any difference between Any->WAN and LAN->WAN? My understanding was that the rule should have blocked all internet traffic (unless I have any allow rule set before it).

said by Anav:

well I would kinda reverse your rule.
I would state it as LAN to WAN block.
If there was a particular PC by IP that you wanted to keep access just put an allow rule for that IP before the deny rule.

I am not sure what happens in the case someone has a session ongoing through the time period however (when it goes from allowed to blocked).



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

1 edit

The problem is most likely with already established sessions when the rule is activated. This is known issue that some existing sessions don't get killed right away (conclusive testing and proof required).



superataru

join:2004-12-07
Kearny, NJ

said by Brano:

The problem is most likely with already established sessions when the rule is activated. This is known issue that some existing sessions don't get killed right away (conclusive testing and proof required).

It should work at the time you apply.
Anyway, sometimes it fails ...

polarisdb

join:2004-07-12
USA
reply to Brano

said by Brano:

The problem is most likely with already established sessions when the rule is activated. This is known issue that some existing sessions don't get killed right away (conclusive testing and proof required).

I see that with the schedule I have set up to cut off my kids internet access at night. Existing games, etc. continue to work just fine as long as the connection to the remote server was established before the scheduled firewall rule kicks in.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

2 edits

Yep, I've just tried it myself and the FW rules don't seem to be applied to existing sessions. Only new ones.
...I've read through CLI hoping there would be a switch to allow killing all active sessions from / to specified zones but there seems to be none.

Just realized we've had this discussion already here »USG100 - Weird (and frightening) firewall behavior

The problem is non-trivial, the perfect solution would be to have "flush existing session table" command (or similar). ... but I can't find any.
Reboot or disabling/enabling the WAN interface seems to be the ugly alternative (the interface disable/enable could be scripted and scheduled (I've not tested this))