block all traffic from/to a specific external ip address

[RobLatour]

Sorry if this is a total basic question, but there is an external IP address that I would like to have all traffic to and from one of my networked devices blocked.  I tried adding a rule to my LAN interface but can't seem to figure out how to identify things correctly - or at least I can't get it to work.

Here is what I had tried (screenshot below) - but it did not work (I also tried changing the direction (in to out and out to in) but that didn't help, I also tried a similar set of rules at the WAN level - again, no love.


Any help would be appreciated.

[gdur]

Hi there,
You have to reverse the directions, out should be IN and in should be OUT assuming 192.168.1.21 resides in your LAN. In and Out are always seen from the firewall itself so in your rule setting the source 192.168.1.21 is leaving the firewall with destination 139.162.72.65 in your LAN.
So reverse the directions and also enable logging so you can see the result while looking at live view and select Interface is LAN, than try to connect from 192.168.1.121 to 139.162.72.65 and you will see the result in live view.

[RobLatour]

Thanks but that hasn't changed the results?

Originally, I had the direction you suggest - but changed it when that did not appear to be working.

Attached are some screenshots of (after I made and applied the changes you suggested), these are:
1. the rules showing how they are set up (and applied) now
2. what I am seeing on my live view
3. what I am seeing using a packed dump from ntopng

[RobLatour]

needing to post file over more than one post due to size limits

[RobLatour]

needing to post file over more than one post due to size limits (final)

[gdur]

From your packed dump it says that the protocol is UDP so I suggest you change the protocol from ANY to UDP.
You are using action = block as filter for life view which results in a lot of info you are not looking for.
Narrow your filter to interface = lan and a second filter source is 192.168.1.121 and tick the "Select any of given criteria (or)" box. Than you are looking to just traffic originating from 192.168.1.121.

[RobLatour]

gdur,

Thanks for your help - I think I am making progress - but am confused with the results.

I changed the protocol from 'any' to 'udp' as you suggested, and am now seeing some traffic blocked in the live view. 

I would have thought that 'any' would have included 'udp' - is that not correct?

Regardless, also to make progress, I changed the rules from using '192.168.1.121' (which is the internal IP address of my device) to 'any' (please see attached screenshot).

Odd things are:

1. live view only shows traffic blocked where 139.162.72.65 is the source (but not the destination)

2. the destination is not my device's internal lan address, rather my external IP address (which I have blurred in the screenshot)

3. one outgoing connection seems to have been allowed?

4. ntopng results remain unchanged, and it appears that traffic is flowing both ways (however perhaps ntoping is reporting what is being requested vs what is being allowed?)


Also, I did check to see if I could ping out from the device at 192.168.1.121 to 139.162.72.65 and I could not - which is good.