Allow specific URLs



  • hi all,
    i have to allow only pop and smtp of gmail over the firewall rule to all LAN users. I created two aliases as mail_hosts and  mail_ports. how to add this aliases?





  • thanks for the reply.. now i added like this.. but its not ping pop.gmail.com from client machine.. is that correct?




  • Get rid of the useless LAN NET to LAN NET rule.  It does nothing.  That traffic never traverses the firewall, it only goes through your switch.

    TCP is not ICMP.  You haven't allowed pings out, except from IPs in your Full_access alias.

    Try to telnet to one of the allowed host port combinations from one of the PCs not in the full_access alias.

    Edit:  Clarified to try an allowed IP and port.



  • @almabes:

    Get rid of the useless LAN NET to LAN NET rule.  It does nothing.  That traffic never traverses the firewall, it only goes through your switch.

    TCP is not ICMP.  You haven't allowed pings out, except from IPs in your Full_access alias.

    Try to telnet to one of the allowed ports from one of the PCs not in the full_access alias.

    if i disabled LAN NET to LAN NET my client PC not connected to squid Proxy. i used telnet to check the 995 port of pop.gmail.com i got error "connection Failed". that PC is not a member of "Full_access" alias.



  • Ok.
    Rewrite that lan net to lan net rule to be more specific. 
    Lan net to lan address tcp port 3128 (or whatever you have squid set to).  Otherwise anyone on your LAN can hit SSH, and webConfigurator on the firewall.

    You may want to allow LAN net access to lan address UDP 53, unless you have a DNS server on your LAN that is not your firewall. Which is what I suspect is contributing to the connection failed problem.