Author Topic: how to block all internet traffic (Read 1826 times)

RobLatour · « **on:** September 13, 2023, 03:56:19 pm »

I have three interfaces: WAN, LAN and LAN_IOT.

What is the best way to block all internet traffic to LAN and LAN_IOT while still allowing traffic between and within LAN and LAN_IOT?

Patrick M. Hausen · « **Reply #1 on:** September 13, 2023, 04:33:52 pm »

If you have no allow rule or NAT port forward on WAN this is already the case.

RobLatour · « **Reply #2 on:** September 13, 2023, 07:11:06 pm »

I don't have a no allow rule on the WAN; what does this look like?

Patrick M. Hausen · « **Reply #3 on:** September 13, 2023, 07:12:13 pm »

If you have no rule that says "allow" ...

RobLatour · « **Reply #4 on:** September 13, 2023, 10:05:04 pm »

I'm not sure what you mean. By 'allow' I assume you mean 'pass', and I have only one firewall rule for my WAN interface that provides for a specific pass ...

yet all my LAN and LAN_IOT devices have internet access.

What I am looking for is a rule (or set of rules) that I would enable/disable in order to enable/disable internet access to my devices on the LAN and LAN_IOT interfaces.

cookiemonster · « **Reply #5 on:** September 13, 2023, 10:21:54 pm »

you need that one rule in the relevant interface i.e. LAN_IOT. There the rule (if exists):
action: pass
interface: LAN_IOT
direction: in
tcp version: what you use
protocol: any
source: LAN_IOT net
destination: any
gateway: default
This is what says any traffic from this network coming into this networ's interface on the firewall: pass.
This is equivalent to the "allow" all in rule. Here is where you allow or deny the traffic to get out of this network, and on its way to another, like the internet.
When set to enabled, traffic goes out to the internet. When you disable it, it stops.

Patrick M. Hausen · « **Reply #6 on:** September 13, 2023, 11:28:02 pm »

You asked to block "Internet to LAN". As I wrote this is the case by default. If you want to block "LAN to Internet" refer to @cookiemonster's post.

RobLatour · « **Reply #7 on:** September 14, 2023, 12:54:37 am »

Thank you that helped.

Also, I watched this video which is also slowly helping me put the pieces together:
https://www.youtube.com/watch?v=dLUffHxnsIQ

I have always had trouble understanding the whole firewall 'in' and 'out' direction thing, even though I know its from the perspective of the firewall.

As an example, from the way I saw it, when Computer A (say on my network) talks to another Computer B (say someplace on the Internet) there is a lot of back and forth. For example (rightly or wrongly) I felt that if Computer A wants to download a file from Computer B, then traffic needs to go from Computer A to Computer B to request the download, and then a lot of traffic travels from Computer B to Computer A as the file downloads (but even in that case as the download proceeds Computer A is likely sending a little traffic to Computer B - in acknowledging packets received).

As such I thought that there would have to be both 'in' and 'out' rules defined in the firewall to allow for the traffic to flow between Computer A and Computer B; the in rule to have traffic come into the firewall and on to Computer A to receive the downloaded file, and the out rule to have traffic go out of Computer A and the firewall request it.

This however (and please correct me if I am wrong) does not seem to need to be the case. You only need to establish 'in' rules, which allow one computer to instigate a communication with another.

So in the case above, I would just need one 'in' rule to allow Computer A to reach computer B and make the request, and then if Computer B starts sending a download file that Computer A requested all is fine.

passeri · « **Reply #8 on:** September 14, 2023, 01:32:31 am »

Hi RobLatour, instead of worrying about the individual traffic flows, think of sessions. Based on the normal rules covered by PM Hausen and Cookiemonster, your LAN device can initiate a session which allows a file to be downloaded to it, strictly within the session. The external system cannot initiate such a session (given the WAN Deny which is the default). Therefore you need no rules beyond that default WAN Deny for things to operate as you wish.

To extend it a bit, if you had a server then for particular designated ports a session could be initiated from the internet to the server. Sessions can not occur except as initiation (usually IN to the firewall) is permitted, and no additional rules are needed.

Edit: Well, deriving the session concept helped me to understand the INs and OUTs of Block and Allow, anyway.

I have some technical knowledge but am otherwise pretty new to firewalls myself so I know from where you come.

RobLatour · « **Reply #9 on:** September 14, 2023, 02:28:32 am »

Also very helpful. Thank you.

Author Topic: how to block all internet traffic (Read 1826 times)

RobLatour

how to block all internet traffic

Patrick M. Hausen

Re: how to block all internet traffic

RobLatour

Re: how to block all internet traffic

Patrick M. Hausen

Re: how to block all internet traffic

RobLatour

Re: how to block all internet traffic

cookiemonster

Re: how to block all internet traffic

Patrick M. Hausen

Re: how to block all internet traffic

RobLatour

Re: how to block all internet traffic

passeri

Re: how to block all internet traffic

RobLatour

Re: how to block all internet traffic