Best Way How To: Block Lan machine from accessing internet?

sierradump

I have a machine on my LAN that should NEVER be allowed to access the internet.  What is the best way to accomplish this?

The machine should NEVER be allowed to send any traffic out the WAN, and NEVER be allowed to receive traffic from the WAN.

Would appreciate a quick rundown of what I need to do to accomplish this.  Thanks!

jimp

It should be an easy matter of adding a block rule to the top of your LAN tab.

Block <any proto="">from <that lan="" ip="">to *

If it can't go out, it won't be able to get anything back in.</that></any>

Monoecus

As Jimp said: Block the IP address of this machine on the LAN Tab and add a block to this machine's IP on the WAN Tab.

For even more security, put this machine on a separate LAN/VLAN and disallow traffic from this machine to other machines on your network that have access to the internet to prevent circumvention of your blocks. It is needless to say that your machine definitely should have a static IP address that cannot be changed by any users of this machine.

In case you really need this machine to access other computers on your network, allow only the Ports that this machine needs to access. Be especially careful with Telnet or SSH protocol, as this can be used to circumvent your block by using another machine on your network. Same holds for p2p software like Skype or bittorrent. Don't install such software on this machine.

However, the best security you get by unplugging the machine from your network :-)

Bern

How about just removing its default gateway in its own TCP/IP settings?

djamp42

What about in A DHCP environment, like a hotel, airport, ect.

It would be cool to have some kinda of MAC to IP Address tracking, so a mac address could be added to the firewall, and no matter what IP address it got, would still be blocked.

You can do this manually, but is not very efficient.

Adam

jimp

The problem with tracking my MAC is that is can also be spoofed, and if the person really wants to, they could stick a cheap broadband router in front of their PC and really change the MAC.

I thought someone said MAC filtering might be coming in 2.0, but don't quote me on that one.

Perry

What about in A DHCP environment, like a hotel, airport, ect.

As you probably would give them some Internet access.
low level restriction = OpenDNS
next level = Squidguard
next level = add a untangle box
next level = just give them a switch :D cnr

jimp

Captive portal can also help in a Hotel/Airport/Hotspot environment as well