JOEBOX-L Archives

Joebox User

JOEBOX-L@LISTS.MAINE.EDU

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Ray Soucy <[log in to unmask]>
Reply To:
Joebox User <[log in to unmask]>
Date:
Mon, 9 Jan 2012 14:44:30 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (83 lines)
Hi James, (responses inline).

On Mon, Jan 9, 2012 at 2:08 PM, James Jalbert <[log in to unmask]> wrote:
> I am in hopes that someone out there can help me with this, here is the
> issue
>
> First off the easy one, I have a group that I would like completely open on
> both filtering and firewall. This network has its own filter, and firewall
> in place, and I want to make sure that NOTHING is blocked to or from this
> site? I am assuming that an open port rule of Everyone Else to "this Group"
> allowing all protocols is what I want? I also assume that I will need one
> for "this Group" to Everyone Else to allow all out? By the way, our firewall
> is still at low, but looking to move it to medium, for everyone but "this
> group".

Yes, you can create a group for the purpose of not filtering anything
for its members.

You can also create an Open Port rule to allow all traffic to that
group (which has the same effect as using a Low policy level).  A rule
to allow all traffic from the group would only be necessary with a
High policy level; Low and Medium already allow all outgoing traffic.

> Second, and I think this is more complicated, Thanks to Vince for providing
> me with the Facebook Networks, so I can block all https traffic to their
> servers, this has worked great! How ever, I did set this up using a Facebook
> group with the network as members. Set a closed port rule to say all source
> from Private Lan to Facebook on tcp 443 is blocked. Now my issue comes in
> that we are looking to create a group for admins to allow them to get to
> facebook. The issue I am having is that when I create the group, enter in
> the IPs for the machines, then test it, i get the following results.
> Facebook is unblocked, I am able to get to the login site, I login to
> facebook, and my browser just spins, and spins, and spins...., then I get
> the connection time out page. My thought is that the content filter is going
> down the list of groups, finds me in my test group, and runs that content
> filter allowing me to facebook, but then is seeing my ip in the Private Lan
> group, which has port 443 to facebook closed? Does this sound right? Why is
> the firewall blocking me on a group that has no closed port rule associated
> to it? Any thoughts on this would be great. What would my best way around
> this issue be?

Web filtering and the firewall are different things, and work in
slightly different ways.

If you block Facebook by blocking its IP networks in the firewall,
then you will also need to create a rule to bypass that block for a
specific group.

Also note that group order matters.  MECguard will apply filtering for
the first group it matches.  So if you have a group with an entire
network defined before one with a specific IP address, it will always
use the first group (and not the more specific group).  You can use
the arrow buttons to re-order groups.  Be sure to re-start both
MECguard and the Firewall after doing so.

Also, after making major changes, it's not a bad idea to use the
"re-initialize" button after applying changes; the firewall engine
still has outstanding issues with dynamically applying changes that
MECnet has been unable to resolve for us.

> Thanks in advance everyone.
>
>
>
> James Jalbert
> Network Administrator
> Eastern Aroostook RSU #39
> Phone: 207-493-4246
> E-Mail: [log in to unmask]
>



-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

ATOM RSS1 RSS2