As a network administrator, one of the things that make you a master of your job is your ability to take full control of your network and dictate what can and cannot be done. With organizations paying heavily for internet subscriptions, it is expected that users will judiciously make use of the subscribed bandwidth for the good of the organization. This has been found to be far from the truth as employees are in the habit of using their employers’ internet to search for other jobs, stream videos on YouTube, visit Facebook, p0rn sites and so on. When these happen, there will be little or nothing left for legitimate traffic, causing the company’s operation to surfer. In this post, I will share with us on how to permit company-allowed traffics (legitimate traffics) while blocking all other forms of traffics.
This of course will be done using the layer7 protocols and firewall filter rules but in a highly organized fashion. The first thing to do is to identify your company’s allowed websites. This should include your company’s website, Skype, email provider, Microsoft.com, wikipedia.org, google.com, mail.google.com, outlook, office365, and other services you may wish to permit.
See code below but do not forget to edit to suite your needs.
^.+(nipex-ng.com|nipexnig.com|www.cbn.gov.ng|google.com|mail.google.com|portal.office.com|ttl.aribaasp.com|ogisp.dpr.gov.ng|ungm.org|portal.exxonmobil.com|nlngevims.aecglobal.com|e-business-area.saipem.com|connect.nlng.com|microsoft.com|login.microsoftonline.com|secure.aadcdn.microsoftonline-p.com|outlook.office.com|outlook.office365.com|outlook.office.com|www.office.com|office.com|firstbanknigeria.com|ibank.firstbanknigeria.com|flyairpeace.com|flydanaair.com|flyaero.com|login.windows.net|pemacng.com|psi.lunariffic.com|book-airpeace.crane.aero|maxcdn.bootstrapcdn.com|jquery.com|shellprod.msocdn.com|officehome.msocdn.com|r1.res.office365.com|www.flydanaair.com|scribd.com|tag.bounceexchange.com|www.wetransfer.com|wetransfer.com|zendesk.com|fidelitybank.com|www.cenbank.org|gmail.com|gigm.com|microsoft.com|update.microsoft.com|www.microsoft.com|googleusercontent.com|kohasaeng.com|dpr.gov.ng|gtbank.com|gstatic.com|www.quickteller.com|www.b2bmetal.eu|bentley.com|sched.lync.com|saipem.eni.it|saipem.com|www.unitconverters.net|www.un.org|un.org|http://www.coren.gov.ng/|icanig.org|https://www.surveymonkey.com|http://www.jamb.org.ng/|nogicjqs.gov.ng|www.ipage.com/|www.dailymail.co.uk|Remita.net|npower.gov.ng|www.onlinedailys.com|www.arikair.com|webpay.interswitchng.com|en.wikipedia.org|nse.org.ng|whatispiping.com|www.empromex.com|http://online.hygeiahmo.com|http://www.ieslglobal.com|www.competentia.com|http://foreverliving.com/).*$
Next, create a firewall filter rule for the layer7 protocols created above and set the action to accept. To do that, I will enter the below commands: For https sites:
Ip firewall filter add chain=forward action=accept layer7-protocol=Users Allowed Websites protocol=tcp dst-port=443
For http sites:
Ip firewall filter add chain=forward action=accept layer7-protocol=Users Allowed Websites protocol=tcp dst-port=80.
Next, I will create another layer7 protocol for all other sites that should be blocked.
This is the code:
^.+(.).*$
Now, I will create two filter rules (https and http), using the layer7 protocol (block_all_website) above to deny all access to any other website not included in my allowed website list.
Block all port other 443 websites:
Ip firewall filter add chain=forward
action=drop layer7-protocol=block_all_website protocol=tcp dst-port=443 log=yes
log-prefix=”Blk_Websites”
action=drop layer7-protocol=block_all_website protocol=tcp dst-port=443 log=yes
log-prefix=”Blk_Websites”
Block all other port 80 websites:
Ip firewall filter add chain=forward
action=drop layer7-protocol=block_all_website protocol=tcp dst-port=80 log=yes
log-prefix=”Blk_Websites”
action=drop layer7-protocol=block_all_website protocol=tcp dst-port=80 log=yes
log-prefix=”Blk_Websites”
The final task is to create two more rules;one to drop invalid connections and another, to allow established, related and new connections. These rules do not make use of layer7 protocols For invalid connections, see below and set the action to drop.
For related, established and new connections, set the action to allow.
With this setup, the company’s subscribed bandwidth will be put to good use and it will serve its purpose and you, as a network administrator will be respected and appreciated by the organisation for your efforts at improving the quality of service delivery. Please stay with me on YouTube, Facebook and Twitter.