RE: Configuration Suggestions
We have installed a PFSense firewall at a clients production plant so we can do some connection limiting for some of their work stations. They have a few machines that are used as clients to a hosted application service provided by an offsite vendor. They keep having problems with employees at the plant using those machines for internet browsing and emailing and consequently those machines are dropping like flies due to the god knows what the plant employees are looking at (Too much info I know).
I know this seems like a dumb question but what would be the best way to go about blocking the access of those machines so they can only access the domains/IP's and ports necessary for the client to connect to it's services?
One easy option is to setup your DNS to point to opendns.com. Then signup with account define your IP addresses and turn on filtering for the categories desired. To completely secure it block DNS for everything other than OpenDNS. If you have a dynamic ip then use DNS-O-Matic to update the IP for OpenDNS.
You can also use the DNS forwarder to override a few domains that you want to block and assign them a localhost IP address such as 127.0.0.1. Effectively blocking the domains of your choice.
Is there anyway to setup firewall rules to block network access to the WAN except for specific IP's? I tried setting up some block rules but they still seem to let traffic pass through.
For example I created a DHCP assignment to the mac address of the machine in question so I can insure it's always on the same LAN IP and then tried setting up a block rule to deny that host access to any outside IP. It did not work. Granted I probably did not set it up right.
I like the DNS solution for a more network wide application. In the case we are only trying to block other 2 machines.
Any further advise would be greatly appreciated.
You could assign captive portal to the LAN. Then you can control access From the WAN by mac address, ip address, and/or giving out user accounts that allow people through captive portal.
You probably can do this with firewall rules too but captive portal is easy and flexible and will work.