Mike's Blog

Gospel study notes and technical journal

Posts Tagged web filtering

SG560 Packet Filtering for forwarded packets vs Access Control

Sep 5

Posted by Mike in Technical Journal, Technology Recipes | No Comments

Spent all day trying to figure out why some of my packet filtering rules weren’t working.  I’ve got two SG560 units VPN’d together via an IPSec tunnel.  One has version 3.1.6 firmware and the othr has version 3.2.2

It appears that between these two version they handle the “Access Control” feature differently.  With 3.1.6 when you enable the “Access Control” for “Internet”:

AcessControl1

and don’t even choose to block or enable anyone in the ACL

ACL List

ACL List

then it changes the way packets are generated.  It suppresses the triggering of the Packet Filter rule for port 80 and delegates control over that to the authd or Access Control feature.   That is for firmware version 3.2.2.  For version 3.1.6 the Packet Filter rule is still triggered.

Images below with descriptions:

Version 3.2.2

So I remembered it wrong.  The source address does not change, but the packet filter rule based on “Type: Forward” is not triggered.  Rather the “authd” is triggered (I think this is a different service or daemon from ipchain).  I just spent some time googling it and here is a description for Authd

Here the Packet Filter rule is enabled for Type: Forward and port 80, but it is not triggered.

Here the Packet Filter rule is enabled for Type: Forward and port 80, but it is not triggered.

Here the ACL within the Access Control is set to block port 80 and authd is triggered.

Here the ACL within the Access Control is set to block port 80 and authd is triggered.

In this case (to the left) the “All Forward Block” is being triggered for a ping request which uses ICMP and thus the rule is triggered.  But the other rule that is active for blocking Type: forward for port 80 is not triggered.  It is suppressed somehow and authd is put in its’ place.


Version 3.1.6

Okay, so after exhaustive testing I have concluded that there is no difference between the firmwares.  But when I first went through this exercise last week (didn’t have time to document last week when I first went through my testing) I could have sworn that each firmware was handling he packets differently.  But now every test I do shows that they handle it the same.

Bottom line:

You must have Access Control disabled in order for the Packet Filter rules for the Type: Forward to be triggered.  At least for outbound traffic going out from the internal network.  I haven’t and am not planning on testing for packets forwarded from the outside in using port forwarding.

If you have Access Control enabled you can then use the ACL to determine which hosts will be blocked or allowed which will use the “authd” protocol, application, whatever you want to call it, to perform the blocking.

Whew… I’m done.

Tags: , ,

OpenDNS – Best Practices

Jul 28

Posted by Mike in Business, Technical Journal | No Comments

OpenDNS and content filtering Filtering adult content and other unwanted sites on a network is one of the greatest advantages to using OpenDNS. With a free account, you can manage your networks in the Dashboard, setting custom preferences all the way down to the individual public IP address.

via OpenDNS > Use OpenDNS > Best Practices.

Tags: , ,

Bad Behavior has blocked 425 access attempts in the last 7 days.

Better Tag Cloud