As a network administrator, one of the things that make you a master of your job is your ability to take full control of your network and dictate what can and cannot be done. With organizations paying heavily for internet subscriptions, it is expected that users will judiciously make use of the subscribed bandwidth for the good of the organization. This has been found to be far from the truth as employees are in the habit of using their employers’ internet to search for other jobs, stream videos on YouTube, visit Facebook, p0rn sites and so on. When these happen, there will be little or nothing left for legitimate traffic, causing the company’s operation to surfer. In this post, I will share with us on how to permit company-allowed traffics (legitimate traffics) while blocking all other forms of traffics.
This of course will be done using the layer7 protocols and firewall filter rules but in a highly organized fashion. The first thing to do is to identify your company’s allowed websites. This should include your company’s website, Skype, email provider, Microsoft.com, wikipedia.org, google.com, mail.google.com, outlook, office365, and other services you may wish to permit.
See code below but do not forget to edit to suite your needs.
Image showing how to block sites with layer7 protocol
Next, create a firewall filter rule for the layer7 protocols created above and set the action to accept. To do that, I will enter the below commands: For https sites:
Next, I will create another layer7 protocol for all other sites that should be blocked.
Image showing layer7 protocol
This is the code:
^.+(.).*$
Now, I will create two filter rules (https and http), using the layer7 protocol (block_all_website) above to deny all access to any other website not included in my allowed website list.
The final task is to create two more rules;one to drop invalid connections and another, to allow established, related and new connections. These rules do not make use of layer7 protocols For invalid connections, see below and set the action to drop.
For related, established and new connections, set the action to allow.
With this setup, the company’s subscribed bandwidth will be put to good use and it will serve its purpose and you, as a network administrator will be respected and appreciated by the organisation for your efforts at improving the quality of service delivery. Please stay with me on YouTube, Facebook and Twitter.
This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.
NOTE: These settings will only apply to the browser and device you are currently using.
Advertising
This site uses functional cookies and external scripts to improve your experience.