Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Allow intranet but block internet access?

Created: 31 Dec 2009 • Updated: 21 May 2010 | 8 comments
This issue has been solved. See solution.

After getting help on creating a rule to block IE from running at all, I found out that the users will actually need to be able to access certain intranet sites.

Is this something I can do with a firewall rule? I only want them to have access to our intranet sites but be completely cut off from outside internet traffic when using Internet Explorer.

Comments 8 CommentsJump to latest comment

John_Prince's picture

Greetings,

I would create a firewall rule at the top of your firewall list that allows access to the IP range you need and immediately under that put a rule to block all communication. Any IP from inside the network will hit rule 1 and allow it, everything else will hit rule 2 and get blocked.

Remote Product Specialist, Business Critical Services, Symantec

BadAndy's picture

Could you provide more detail?

I'm not very familiar with creating firewall rules just yet and I don't understand how to do what you said.

John_Prince's picture

Greetings,

I sure can:

-Open SEPM
-Click Policies on the left
-Click Firewall in the top left
-Double click the Firewall policy in the right pane
-Click Rules on the left
-Click Add Rule...
-Click Next
-Select Host and click Next
-Choose IP Range
-Type the IP range you want to allow
-Click Next
-Click Add More... if you have other ranges you need to allow
-Click Finish
-Select the rule in the list
-Press Move Up til its number 4 on the list, below the three block IPv6 rules
-Select the "Block all other traffic" rule, by default its rule 15
-Press Move Up until its right below the rule you just created

The firewall rules are processed in sequential order, this means as soon as a packet makes a match it stops processing the rules below it. With this setup, it will block any IPv6 communication if it comes through, if its not IPv6 it will check the originating IP. If its one of the ranges you selected the traffic comes through and processing stops. If its not one of the ranges it moves to the next rule which is to simply deny everything.

Please be aware this will allow ALL internal traffic to go through such as pings, file sharing, etc.. If you have any ports, applications, services, etc. that you do not want you can create a similar rule to block and set it right above your IP range rule.

Remote Product Specialist, Business Critical Services, Symantec

SOLUTION
BadAndy's picture

Perfect! That's exactly what I needed. Thank you very much!

BadAndy's picture

I need some help tweaking the policy now. It's set to not allow any traffic other than internal sites but now they also need to be able to access the Windows Update site. I've added the main ones (update.microsoft.com, windowsupdate.microsoft.com and www.update.microsoft.com)  that I know about but it still won't work right.

John_Prince's picture

Greetings,

By adding the sites, did you create a new policy allowing those domains and place it above the Block All rule? I would recommend adding the below ones rather than the ones you have as well:

    update.microsoft.com
    download.microsoftupdates.com
    windowsupdate.microsoft.com

Remote Product Specialist, Business Critical Services, Symantec

BadAndy's picture

When I add those sites, it pulls up the page that says "Checking if your computer has the latest version of updating software..." and then errors out. It's as though there is another site that it needs to access but I don't know what it is.

BadAndy's picture

Man, the requests for more just keeps on coming LoL!!

Since the machines are not in active directory but reside on the internal network, I also need to be able to ping the machines and connect to them via remote desktop and DameWare.

I really wish I knew more about firewalls and networking in general right now.