Block access to internet.



  • how do I get the firewall to block access to all that are not in the firewall?

    all PC are already with "proxy", but if I leave the proxy, have full access to internet.



  • router have 2 NICs
    firewall WAN/LAN router

    • TCP - LAN net - * - LAN add - 3128 - * - none -

    proxy have 1 NIC
    firewall LAN proxy

    • TCP - LAN net - * - LAN add - 3128 - * - none -


  • @dgiorgio:

    how do I get the firewall to block access to all that are not in the firewall?

    all PC are already with "proxy", but if I leave the proxy, have full access to internet.

    If I understand correctly what you are asking, you create a rule that blocks the entire LAN range EXCEPT the address of the proxy server.



  • if I manually configure the proxy on some PC, the PC goes through the proxy.

    if I do not configure the proxy on the PC, this machine has full access to internet.

    this is a problem, because the firewall does not block access to internet.



  • @dgiorgio:

    if I manually configure the proxy on some PC, the PC goes through the proxy.

    if I do not configure the proxy on the PC, this machine has full access to internet.

    this is a problem, because the firewall does not block access to internet.

    Right… create a rule on the firewall that blocks all IP Addresses EXCEPT the proxy server.



  • The company I work has ERP, Logmein and several other services installed.

    I have to configure proxy at all?

    I have to just block access to web?



  • pfSense firewall is default deny on interfaces. So anything not allowed will be denied. Do you have an allow rule for port 80? If so, are you specifying a source?

    To deny the internet to everyone except for the proxy the rule would look like on the LAN interface.

    Proto	Source               	Port	Destination	Port
           TCP   <proxy server="" ip="">*       *                        80</proxy> 
    

    And then web access from anywhere else that's not the proxy server will be dropped. If source is just "*" then both proxy server and pc's will get through. Post your LAN firewall rules if you're still unclear.


Locked