www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

HELP!!!! Blocking Rules block internet Browsing

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
matthew.a.squires



Joined: 03 Jul 2008
Posts: 110

PostPosted: Fri Mar 20, 2009 2:47 pm    Post subject: HELP!!!! Blocking Rules block internet Browsing Reply with quote

I created a a CHAIN rule for blocking Layer7 protocols/applications.
It works great, except that after an unknown period of inactivity we are loosing the ability the surf the internet.
Some times I can access the Zeroshell Web Interface and some times I cannot.
I have tried Disabling and re-enabling the Firewall and Router services, with no positive results.

We do not have a 3rd party firewall install on my WinXP Pro OS and the Windows Firewall is turned off.

I renewed the WinXP IP Addresses and we are still unable to browse.
I released and renewed the WAN IP Address and we are still unable to browse.
We are able to ping IP Addresses, but not URL (eg: www.google.com)
The only solutions that works is to restart the Zeroshell Router.
But again, after and unspecified period of time I loose the ability to browse the internet or even access the Zeroshell Web Interface.
When the blocking rules are disable and the router is restarted, the inability to browse after a period of browsing inactivity is not an issue.

The blocking rules that block Layer7, is configured with (*) in the To and From address field to indicate any address(es).

I am blocking, applications such as MSN Chat, Yahoo Chat, Chinese and Koren P2P application, FTP, SSH, Remote Desktop and Remote Log-on and so on.


Please Help, or Explain why.
_________________
Thank You;
Matthew Squires


Last edited by matthew.a.squires on Mon Mar 23, 2009 1:37 pm; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail
matthew.a.squires



Joined: 03 Jul 2008
Posts: 110

PostPosted: Mon Mar 23, 2009 1:36 pm    Post subject: Reply with quote

Further troubleshooting:

When I Released & Renew the WAN IP Address, I am able to browse the internet for a period of time. That is no set time.

At first I thought it was my ISP, but when I disable the Firewall Blocking Rules I do not experience the Browsing issue.
In addition, my VPN connections remained up (They do not point to IP address, they point to a DNS Name) and I can access the clients and Web interfaces on the other end.

Again! While the firewall blocking rules are running I cannot browse the internet, Buy I am able to browse the Internal Websites. My only issue is browsing the the WAN.

=============
FIREWALL RULES
=============

Chain FORWARD (policy ACCEPT 1 packets, 194 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- ETH00 * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto rdp
0 0 DROP all -- ETH00 * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto rlogin
77 14896 dropchain all -- * * 0.0.0.0/0 0.0.0.0/0
76 14702 bridge00 all -- BRIDGE00 * 0.0.0.0/0 0.0.0.0/0
1 194 CapPort all -- * * 0.0.0.0/0 0.0.0.0/0


Chain dropchain (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto msn-filetransfer
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto msnmessenger
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto aim
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto aimwebcontent
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto 100bao
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto code_red
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto soribada
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto xunlei
12 2424 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto qq
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto hotline
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto yahoo
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto napster
_________________
Thank You;
Matthew Squires
Back to top
View user's profile Send private message Send e-mail
matthew.a.squires



Joined: 03 Jul 2008
Posts: 110

PostPosted: Tue Mar 24, 2009 3:14 pm    Post subject: Reply with quote

=================
Continued troubleshooting
=================

The issue seems to be linked to OpenDNS.
I do not subscribed to OpenDNS Service, but I use their two DNS IP Addresses.
I consulted with another Admin and he had the same issue with OpenDNS.
According to his experience with OpenDNS, after about 30 minutes his network loses the ability to browse the Internet (WAN) but is able to browse the Intranet (Local).

I tired installing the OpenDNS fix and the router crashed.
I re-built the router and restored the config file.
I removed OpenDNS IP Addresses and is again using the local ISP DNS Service.
I will report the results, good or bad.
_________________
Thank You;
Matthew Squires
Back to top
View user's profile Send private message Send e-mail
matthew.a.squires



Joined: 03 Jul 2008
Posts: 110

PostPosted: Thu Mar 26, 2009 2:35 pm    Post subject: Reply with quote

For anyone is interested:

I removed the OpenDNS IP Address from within DNS / Forwarders and the network clients have not experienced any additional negative issues browsing the Internet (WAN).

In the Feature:
I would like to use OpenDNS, but before I do I will build a new route, apply all of the patches (including the OpenDNS patch) and then duplicate the existing network. But not at this time.

The Layor7 blocking rules are working great.

Thank you Fulvio Riccardi, and thank you ZS
_________________
Thank You;
Matthew Squires
Back to top
View user's profile Send private message Send e-mail
WilliamBondi



Joined: 19 Feb 2014
Posts: 3

PostPosted: Fri Feb 21, 2014 10:03 am    Post subject: Reply with quote

The rules of blocking internet for different users keep on changing as and when you see the technology changing. As you know how the technology is changing with a great pace, hence it is important to check the updates and the newer ways of doing so. Updating about these things can really help you a lot in doing this job in a right way. Now there are software like SKEEBLOO available in market for LAN and internet blocker, You can find more information on http://www.truetime-applications.com
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group