Firewall configuration to deny internet access for some devices

[knstvk]

Hi

I have Zentyal 3.0.10 running on my home network as a gateway. Everything is fine, except that I can't make the simple thing - I want to disable the internet access for a couple of my devices.

I've created the network object "Test" with their IPs and MACs.

When I create the firewall rule for "Internal networks" that disables Any service for "Test" source and Any destination, nothing happens. Ok, I modify the default Allow rule and make it for "not-Test". So I have ALLOW for all but Test, and DENY for Test. It still doesn't work, my Test devices have internet access.

Then I create the rule for "Internal networks to Zentyal" that disables  Any service for source "Test". It works, Test now can't reach the internet, but at the same time it can't reach the local services running on Zentyal. This is not very good for me.

What am I doing wrong?
BTW, transparent proxy is on, may be this is the cause?

Thanks.

[christian]

I think you're facing at least one (little) problem here:
- the very fist one is that you need, especially when discussing about firewall, more accurate wording. Trust me, this is not nitpicking  "deny internet access" as very little meaning when it comes to configure firewall. You do have to specify protocol or at least service you want to use while accessing internet. Is it HTTP, FTP, mail, SSH or even CIFS ?

Then answer to your question is within second part of your post:
- when using proxy, (so let's assume protocol you want to control is HTTP) clients do not access internet but rely on service running server side (here on Zentyal). Thus what you have to control is not "access to internet" but access to this service (here "proxy").
As you are using transparent proxy, I suppose there is no choice but configuration at firewall level 

[Sam Graf]

What am I doing wrong?

In addition to christian's comments, let me add that if the goal is to block Web access for a couple of your devices (which I'm going to assume for now since you mention the proxy), I would choose proxy access rules over firewall rules. Unless I'm mistaken (I'm not at my 3.0 test server at the moment ), you can control object access under a transparent proxy, but not group access.

Which brings up one additional detail. To ensure that the target devices are actually members of the intended object, you have to add the object to DHCP, so that the correct addresses are leased to the devices. The object alone can't do this.

[christian]

Moving ahead in same direction, let me then add another comment on top of Sam's on 

Controlling use of HTTP proxy using IP address is achievable (as described by Sam) but very unreliable: you will have to associate IP address to MAC address, maintain group of IP within specific group that will be denied to use HTTP proxy.
So far so good but:
- how can you ensure that IP will not be changed on this device (e.g. not using DHCP or even changing MAC address) ?
- even without changing IP, how will you ensure that user suppose to use this device will not use another one ? (although I'm not sure this is your goal)

[Sam Graf]

Any address-based approach is vulnerable. Given Zentyal's limitations, any authentication-based approach is subject to possibly unforeseen, non-trivial complications. There is no free lunch in either case.

That said, under the address-based access control scheme, one can choose whether the most effective route is to deny certain devices, to allow certain devices, or to use some combination of these. It depends on the nature of the home network.

[christian]

Sam, you're not wrong 
We are once again back to this debate like almost every time when there is a new topic about HTTP proxy   

Your position is that authentication is too much complex.
Mine is that controlling device access to proxy is often not the real goal but a trade-off for people not wiling to implement explicit proxy with authentication.

However I don't think this is due to Zentyal limitation  but more matter of philosophy: the "easy" way is IP based but as you say, there is no such thing as a free lunch.

At least I hope it helps other Zentyal users to make their own choice once they understand pros & cons of each approach.

Back to the IP based approach: yes you can either allow or deny or even mix but this will be reliable only once you fully control devices and ensure neither IP address or MAC address can be changed and also ensure that users can't authenticate from device (s)he is not supposed to use.

[Sam Graf]

My position is that given the tools Zentyal provides (or, rather, does not provide) and the varied nature of device operating systems, user/machine authentication (it is both, after all, since any recent device that is powered up legitimately can, and will, attempt Internet access even if no user has touched it in days) is in fact complex. It is this combination of attended and unattended authentication that helps to make things complex.

I have never said (or never should have said) that user-machine authentication is too complex. But when something is practical only by hand modification of a Zentyal server, then we have yet to make it as simple as possible in the Zentyal tradition--a limitation of Zentyal to the extent that Zentyal can mitigate the complexity. It's not a criticism, just a fact.

That said (again, and again, and again), knstvk has begun the request for help with a transparent proxy. Unless we assume knstvk has made an uniformed choice, there is no need to rehash the problems of both kinds of access control. We risk getting ahead of the user if we do. IMHO, of course.

[christian]

I understand this but I do not believe that 100% of those having selected transparent proxy design do this because they understand pros & cons.

I would say that perhaps 30% do understand what this means (from technical standpoint) what it provides and what it does not.
Most of the other select transparent proxy because this looks like the easiest solution (and then they ask how they could control HTTPS  ) while some others go for this design because they are lazy   
On top of that, Zentyal documentation is (was ? I don't know with the new doc) promoting transparent proxy.

Reason why I suppose (perhaps I'm wrong) that it is almost always worth to highlight differences between these 2 designs when it applies.

I also can't refrain myself to react when I read stuff like authentication or access control based on device. 
But I'm perhaps totally wrong and should rather trust users once they have selected their design... 

[Sam Graf]

I understand. At the same time, if we say, "Well, use explicit proxy because that is the 'proper' way to accomplish your goal" and several things break, we have risked too much or been too casual about the state of the user's network, in my opinion. We have risked leaving the user with a false impression that explicit proxy carries no complications.

Better to trust the user up front and then let the discovery process work, in my opinion. We don't know enough to do otherwise safely. (If people on my home network were spoofing MAC addresses and fiddling with DHCP settings to get around the simple access restrictions home routers offer, there would be fewer users on my home network. It's that simple. Not everybody has a home server, after all.)

Anyway, this is academic. We agree that there is no free lunch regardless of the solution chosen. If a user starts with a transparent proxy and discovers it to be inadequate, then it makes sense take the next steps. Outside trying to "convert" someone away from ever using a transparent proxy even to get started, there is no good reason I can think of to press the point until after the user discovers s/he has a problem that can only be solved by using an explicit proxy. Again, just my opinion.

[knstvk]

Hi guys,
thank you for the explanation, now I understand that things are much more complicated than they seem at first.

But let me return to my problem. As Christian suggested, I've created Proxy service (TCP/3128) and denied access to it for my Test object in "Internal networks to Zentyal". It didn't help. Only denying All services does the job. May be I understood something wrong?

As for my goals, I think they are not that unique - I want to restrict from time to time the internet access for my children, to save them from distractions and make more focused on their school tasks. Changing IP/MAC addresses is definitely not an issue, as well as access from other devices - things are not so serious.

It would also be great if Zentyal could automatically switch on/off firewall rules on time basis, but as I understand it is possible only for Proxy rules.

Regarding non-transparent proxy, I would avoid using it at any cost. Some time ago on my previous job I had regular problems when some programs couldn't access internet through it. May be this is not an issue for home network, but anyway I think it requires too complicated setup.
I understand that HTTPS bypasses transparent proxy, this is the reason why I try to setup Firewall rules. BTW is it possible to deny HTTPS for an IP/MAC at all? My short experiments wasn't succesful.

[christian]

Reason why your rule doesn't work is that you misunderstand which one should be applied. Do not take it the wrong way (and I don't want to open again the debate transparent vs. explicit proxy) but as your choice is to go for transparent proxy, then you need to apply rule implementing port 80.
This because browser tries to access internet, most of the time on port 80 and request is transparently redirected to proxy but this is done at Zentyal server level. Externally (I mean from the LAN), port 3128 is unknown.

BTW, I'm not pushing you, neither anyone, to use explicit proxy. If transparent proxy fits your needs, perfect 

[Sam Graf]

Just to repeat one thing and to note something. Note first: Unless I'm mistaken, the firewall will block traffic on port 80 as long as it isn't directly or indirectly (by an "any" rule) allowed. In other words, by default, with no rules in place, the firewall is already blocking all client traffic. And there is no need to allow the proxy port in the firewall.

The repeat: The proxy has an access rules feature that allows blocking or allowing HTTP traffic by object, including by time. I would explore that option if it were me (and in fact do that very thing on my 3.0 test server in the case of my "captive portal" object, in order to disallow access during non-business hours).

EDIT: It would be nice if I was a little more complete. The option still exists to block HTTPS traffic for the object at the firewall level. For kids, that might work fine to have that always inforce. I am thinking primarily of the time feature of the proxy access rules that will make it possible to automate access--an "the Internet is now open!" option not requiring manual intervention. That may not work (it may be necessary to do this manually because of your situation), but I did want to point out the option.

[knstvk]

It seems that I have found the proper setup for my situation.
I make the Proxy explicit, configure access through it on my children's devices (which is actually not so hard), and add Firewall rule to deny all access for them in Internal networks.
Other devices go to the internet directly without restrictions. All time-based and url-based configuration is on the Proxy level.

Thank you for pointing me to the right direction

[christian]

Given what you describe, your configuration is somewhat wring and could be easily bypassed 
If proxy is explicit (or even transparent if you are using network objects as described by Sam), there is no need to manage specifi firewall rules.