JOEBOX-L Archives

Joebox User

JOEBOX-L@LISTS.MAINE.EDU

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Ray Soucy <[log in to unmask]>
Reply To:
Joebox User <[log in to unmask]>
Date:
Mon, 9 Jan 2012 15:06:19 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (140 lines)
Well, it "should" work on LOW.  In fact we had MECnet explicitly fix
that at one point, but it apparently isn't working that way anymore.

I'm not sure if it will work on MED, either.  It appears to have
reverted to applying Open Port rules after Closed Port rules (which
doesn't seem very useful).

Has anyone seen this problem on a MED policy level?

On Mon, Jan 9, 2012 at 2:53 PM, James Jalbert <[log in to unmask]> wrote:
> Thanks Ray,
>
> I was prety sure about how the filter worked, I have set up a group to do
> different filtering, and remember that was my issue was i did not move it
> above private lan.
>
> Here is my question
> If you block Facebook by blocking its IP networks in the firewall,
> then you will also need to create a rule to bypass that block for a
> specific group.
>
> Does the fire wall have to be on Medium for this to work? I have tried to do
> an open port rule for IT_Test to facebook allowing 443 and it did not work.
> Chris from Network Maine just e-mailed that he set up two open port rules,
> on from IT_Test to facebook, and one from Facebook to IT_test allowing all
> traffic and those did not work either?
>
> James Jalbert
> Network Administrator
> Eastern Aroostook RSU #39
> Phone: 207-493-4246
> E-Mail: [log in to unmask]
>
>>>> Ray Soucy <[log in to unmask]> 1/9/2012 2:44 PM >>>
>
> Hi James, (responses inline).
>
> On Mon, Jan 9, 2012 at 2:08 PM, James Jalbert <[log in to unmask]> wrote:
>> I am in hopes that someone out there can help me with this, here is the
>> issue
>>
>> First off the easy one, I have a group that I would like completely open
>> on
>> both filtering and firewall. This network has its own filter, and firewall
>> in place, and I want to make sure that NOTHING is blocked to or from this
>> site? I am assuming that an open port rule of Everyone Else to "this
>> Group"
>> allowing all protocols is what I want? I also assume that I will need one
>> for "this Group" to Everyone Else to allow all out? By the way, our
>> firewall
>> is still at low, but looking to move it to medium, for everyone but "this
>> group".
>
> Yes, you can create a group for the purpose of not filtering anything
> for its members.
>
> You can also create an Open Port rule to allow all traffic to that
> group (which has the same effect as using a Low policy level).  A rule
> to allow all traffic from the group would only be necessary with a
> High policy level; Low and Medium already allow all outgoing traffic.
>
>> Second, and I think this is more complicated, Thanks to Vince for
>> providing
>> me with the Facebook Networks, so I can block all https traffic to their
>> servers, this has worked great! How ever, I did set this up using a
>> Facebook
>> group with the network as members. Set a closed port rule to say all
>> source
>> from Private Lan to Facebook on tcp 443 is blocked. Now my issue comes in
>> that we are looking to create a group for admins to allow them to get to
>> facebook. The issue I am having is that when I create the group, enter in
>> the IPs for the machines, then test it, i get the following results.
>> Facebook is unblocked, I am able to get to the login site, I login to
>> facebook, and my browser just spins, and spins, and spins...., then I get
>> the connection time out page. My thought is that the content filter is
>> going
>> down the list of groups, finds me in my test group, and runs that content
>> filter allowing me to facebook, but then is seeing my ip in the Private
>> Lan
>> group, which has port 443 to facebook closed? Does this sound right? Why
>> is
>> the firewall blocking me on a group that has no closed port rule
>> associated
>> to it? Any thoughts on this would be great. What would my best way around
>> this issue be?
>
> Web filtering and the firewall are different things, and work in
> slightly different ways.
>
> If you block Facebook by blocking its IP networks in the firewall,
> then you will also need to create a rule to bypass that block for a
> specific group.
>
> Also note that group order matters.  MECguard will apply filtering for
> the first group it matches.  So if you have a group with an entire
> network defined before one with a specific IP address, it will always
> use the first group (and not the more specific group).  You can use
> the arrow buttons to re-order groups.  Be sure to re-start both
> MECguard and the Firewall after doing so.
>
> Also, after making major changes, it's not a bad idea to use the
> "re-initialize" button after applying changes; the firewall engine
> still has outstanding issues with dynamically applying changes that
> MECnet has been unable to resolve for us.
>
>> Thanks in advance everyone.
>>
>>
>>
>> James Jalbert
>> Network Administrator
>> Eastern Aroostook RSU #39
>> Phone: 207-493-4246
>> E-Mail: [log in to unmask]
>>
>
>
>
> --
> Ray Soucy
>
> Epic Communications Specialist
>
> Phone: +1 (207) 561-3526
>
> Networkmaine, a Unit of the University of Maine System
> http://www.networkmaine.net/



-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

ATOM RSS1 RSS2