Newbie: Block Everything going into the internet but allow browsing and ssh

  • Hi, pardon the newbie question but Im setting up a Company firewall in a hurry.

    I need to setup a firewall that allow LAN users to access the Internet (www and ym) but I wanted to filter on which sites they can go to.  At the same time, I would like to prevent the web developers of the company to access our offshore servers via SSH.

    So so far I have done the following with pfSense.

    1.  Setup Squid / SquidGuard to block out unwanted websites.
    2.  Firewall Rules

    Block all traffic from LAN to the Internet
    Allow traffic from LAN to "Offshore" (alias of IP addresses of offshore services) using "Ports"(alias for ports used to access servers)

    So far this strategy works for web browsing, meaning people need to use the Proxy server of pfSense to get to the web. My problem is that even if i have a rule to allow traffic from LAN the servers.  I am still unable to SSH to the servers. I had to turn of the Block rule to be able to access the servers again.  but by disabling the block rule, i allow the users to access the internet without the need to go through the proxy.

    can anyone help me troubleshoot this?

    many thanks!

  • Do you have the option set in the proxy to capture all web traffic so it works without setting options in the browser?

  • ISTR that it warns you on the rules page - rules are processed top down.  This means that if you have rule #2 as "Block all" then no further rules will work.

Log in to reply