Netgear - Firewall Rules

Tomc@T · 20 May 2008 at 21:25

My wife wants me to ban my son from the internet (she caught him on an adult website! boy was he embarrassed!!!

).

We have 4 PCs in the house, 2 desktops upstairs in each of the kids room and a notebook, these are connected via wireless. My desktop is the only ethernet cabled machine, I also have a HP LaserJet5N wired to the router.

The router is a Netgear DG834N with a copy of the DG Team firmware.

Both the PCs upstairs and the printer are set to a static IP address and the IPs are reserved in the router:

Printer: 192.168.2.100
Daughter's PC: 192.168.2.101
Son's PC: 192.168.2.102

My desktop and notebook are on DHCP.

I set up the following rule in firewall rules:

Outbound Services
#:1
Service Name: Any(TCP)
Enable: ticked
Action: BLOCK ALWAYS
LAN Users: 192.168.2.102
WAN Servers: Any
Log: Always

However it does not work and I can access the internet with this rule running.

Can anyone tell what is wrong with the rule? Is there anything else that I need to do on the firewall?

TIA. :cool:

teaboy5 · 20 May 2008 at 22:17

did you select HTTP(80) on the drop down?

Tomc@T · 20 May 2008 at 22:24

teaboy5 said:
did you select HTTP(80) on the drop down?

No, but that is one to try in the morning.

AbsenceJam · 20 May 2008 at 22:38

I can't get this to work on my DG834GT either.
You could just remove his wireless adaptor, or disable DHCP and set the pool to only have three addresses that are reserved for the MACS of the other three PC's, or change your WPA key and don't let him know it, or setup a wireless access list.

SidewinderINC · 20 May 2008 at 22:51

AbsenceJam said:
I can't get this to work on my DG834GT either.
You could just remove his wireless adaptor, or disable DHCP and set the pool to only have three addresses that are reserved for the MACS of the other three PC's, or change your WPA key and don't let him know it, or setup a wireless access list.

He needs to be on the network - printer server.

Tomc@T · 20 May 2008 at 22:54

AbsenceJam said:
I can't get this to work on my DG834GT either.
You could just remove his wireless adaptor, or disable DHCP and set the pool to only have three addresses that are reserved for the MACS of the other three PC's, or change your WPA key and don't let him know it, or setup a wireless access list.

If I don't find a way via the firewall rules, then I might just change the WPA key as you say.... good idea!!

Tomc@T · 20 May 2008 at 22:56

SidewinderINC said:
He needs to be on the network - printer server.

I thought about that and decided that anything he wants to print, he could put it on his flashdrive and bring it to me for printing or take it to the school library for printing, though it would be easier if I could just stop his internet access.

Kipper67 · 21 May 2008 at 10:53

You have turned "scheduling" on on the router ?

Schedule Help
If you have set Firewall Rules on the "Rules" screen or Keyword Filtering on the "Block Sites" screen, you can set up a schedule for when the rules are applied.

If it still doesn't work how about some sort of parental control software on the PC in question - there's some built into vista I believe and I seem to recall someone posting a link to a free MS program for xp in the windows section some time ago but can't recall the name - sorry.

Rob7865 · 21 May 2008 at 11:06

Hi
you could try setting yourself up with OpenDns http://www.opendns.org/ they have Realtime block list of sites, so your son doesn't have to loose out totally on using the Internet....

Rob

FrenchTart · 21 May 2008 at 11:11

This does seem like a bit of an extreme reaction. Install parental controls on there to block adult sites. And maybe just ban him from using it for a short period.

Not that it's really any of our business how you do your parenting

Tomc@T · 21 May 2008 at 11:24

Aekeron said:
This does seem like a bit of an extreme reaction. Install parental controls on there to block adult sites. And maybe just ban him from using it for a short period.

Not that it's really any of our business how you do your parenting

It is my wife that wants to ban him, personally I think he is of that age where he is curious!! I mean it was one of the first things I went to when I first got onto the net!! of course I did not tell her that!!! I went Yes Dear, No Dear..... 3 bags full Dear!!

He will be banned for a short while either way.

I was starting to think about a Parental Control program.

The thing for me is the Firewall rules dont seem to be working... :confused:

I did a bit of googling last night and read something about a "Secret" reset procedure, but could not find anything else about it... probably one of those Urban myths!

I have tried it with a schedule and also without... still no joy.

FrenchTart · 21 May 2008 at 11:27

I doubt you're going to get very far with the firewall rules to be honest :/

Best thing to do is to manually configure the LAN adaptor on his PC. Leave it with it's current IP address but then change the gateway/dns settings to something invalid. It should mean he can still print to the network printer but not access the net.

Of course, if he knows how to change that back, you're out of luck

Banzai_Joe · 21 May 2008 at 11:34

Aekeron said:
I doubt you're going to get very far with the firewall rules to be honest :/

Best thing to do is to manually configure the LAN adaptor on his PC. Leave it with it's current IP address but then change the gateway/dns settings to something invalid. It should mean he can still print to the network printer but not access the net.

Of course, if he knows how to change that back, you're out of luck

Not if he has a limited user account, and thus cannot alter TCP/IP settings, unless as as administrator.

You could always apply the 'Content Advisor' if you're using IE.

I must say, my Netgear firewall seems to ignore the rules i placed on it, for the very same reasons as you. :rolleyes:

FrenchTart · 21 May 2008 at 11:47

Indeed. A limited user account would work. I guess I was assuming the OP wouldn't know how to do that/couldn't be bothered

bennyboy2606 · 21 May 2008 at 11:58

If your going to stick some parental control on there, first thing i would do if i was him was google "Proxy site" or something along them lines...

Personally i think you should just have a Father son chat about "adult content" and then tell your wife your going to ban him for a week or so but as said about its not our business how you parent your kids

Banzai_Joe · 21 May 2008 at 11:58

If the OP is capable of creating rules on his firewall, i'm sure he knows how to configure a user account.

Lol, sorry Aekeron, that above statement was only an excuse for me to make my 500th post.

I feel ashamed......very very ashamed now.

FrenchTart · 21 May 2008 at 11:59

Kipper67 · 21 May 2008 at 14:42

Had a chance to try this on my dg834n now and it seems to be working for me .

Just went to firewall rules and set one up similar to the OPs except I selected "ANY(ALL)" as what to filter rather than "Any(TCP)" .

Applied that and that took my laptop off the net no problem

Code:

Wed, 2008-05-21 14:27:06 - TCP Packet - Source:10.0.0.35,4026 Destination:66.249.93.102,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:14 - UDP Packet - Source:10.0.0.15,1027 Destination:213.123.20.205,43962 - [Any(ALL) rule not match]
Wed, 2008-05-21 14:27:15 - TCP Packet - Source:10.0.0.35,4032 Destination:91.151.217.11,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:16 - TCP Packet - Source:10.0.0.35,4026 Destination:66.249.93.102,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:18 - TCP Packet - Source:10.0.0.35,4032 Destination:91.151.217.11,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:23 - TCP Packet - Source:10.0.0.35,4034 Destination:74.125.8.93,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:24 - TCP Packet - Source:10.0.0.35,4026 Destination:66.249.93.102,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:24 - TCP Packet - Source:10.0.0.35,4032 Destination:91.151.217.11,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:26 - TCP Packet - Source:10.0.0.35,4034 Destination:74.125.8.93,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:27 - UDP Packet - Source:10.0.0.15,1033 Destination:213.123.20.12,123 - [Any(ALL) rule not match]
Wed, 2008-05-21 14:27:29 - UDP Packet - Source:10.0.0.15,1027 Destination:213.123.20.204,43962 - [Any(ALL) rule not match]
Wed, 2008-05-21 14:27:30 - TCP Packet - Source:10.0.0.35,4036 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:31 - TCP Packet - Source:10.0.0.35,4038 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:32 - TCP Packet - Source:10.0.0.35,4034 Destination:74.125.8.93,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:33 - TCP Packet - Source:10.0.0.35,4036 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:34 - TCP Packet - Source:10.0.0.35,4038 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:36 - TCP Packet - Source:10.0.0.35,4039 Destination:91.151.217.11,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:39 - TCP Packet - Source:10.0.0.35,4036 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:39 - TCP Packet - Source:10.0.0.35,4039 Destination:91.151.217.11,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:40 - TCP Packet - Source:10.0.0.35,4038 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:40 - TCP Packet - Source:10.0.0.35,4026 Destination:66.249.93.102,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:44 - TCP Packet - Source:10.0.0.35,4040 Destination:74.125.8.93,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:44 - UDP Packet - Source:10.0.0.15,1027 Destination:213.123.20.205,43962 - [Any(ALL) rule not match]
Wed, 2008-05-21 14:27:45 - TCP Packet - Source:10.0.0.35,4039 Destination:91.151.217.11,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:47 - TCP Packet - Source:10.0.0.35,4040 Destination:74.125.8.93,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:51 - TCP Packet - Source:10.0.0.35,4041 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:52 - TCP Packet - Source:10.0.0.35,4042 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:53 - TCP Packet - Source:10.0.0.35,4040 Destination:74.125.8.93,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:54 - TCP Packet - Source:10.0.0.35,4041 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:55 - TCP Packet - Source:10.0.0.35,4042 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:59 - UDP Packet - Source:10.0.0.15,1027 Destination:213.123.20.204,43962 - [Any(ALL) rule not match]
Wed, 2008-05-21 14:28:00 - TCP Packet - Source:10.0.0.35,4041 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:28:01 - TCP Packet - Source:10.0.0.35,4042 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:28:14 - UDP Packet - Source:10.0.0.15,1027 Destination:213.123.20.205,43962 - [Any(ALL) rule not match]
Wed, 2008-05-21 14:28:14 - ICMP Packet - Source:10.0.0.35 Destination:212.58.251.195 - [Any(ALL) rule match]
Wed, 2008-05-21 14:28:29 - UDP Packet - Source:10.0.0.15,1027 Destination:213.123.20.204,43962 - [Any(ALL) rule not match]
Wed, 2008-05-21 14:28:29 - ICMP Packet - Source:10.0.0.35 Destination:212.58.251.195 - [Any(ALL) rule match]
Wed, 2008-05-21 14:28:31 - UDP Packet - Source:10.0.0.15,1033 Destination:213.123.20.12,123 - [Any(ALL) rule not match]
Wed, 2008-05-21 14:28:44 - UDP Packet - Source:10.0.0.15,1027 Destination:213.123.20.205,43962 - [Any(ALL) rule not match]

As you can see from the logs its dropping packets from the .35 address - laptop ip i wanted to test it with but allowing packets from other stuff just fine.

Tomc@T · 21 May 2008 at 17:11

k.Jacko said:
I feel ashamed......very very ashamed now.

you should be

and a Notts lad as well!!! ey up meh duck!! :cool:

I think limited accounts are too restrictive, done that before with him and I ended up putting it back, as he installs games all the time and it was a pita!

ATM I used Aekeron's advice and changed the gateway to 192.168.2.0, that has worked and keeps him on the network for printing. As far as he is concerned

I will try the ALL(TCP/UDP) rule.... but not hopeful. I am quite disappointed about these rules not working... like I said in an earlier post I am going to do some digging and see what comes up!!

suarve · 21 May 2008 at 18:41

Kipper67 said:

Had a chance to try this on my dg834n now and it seems to be working for me .

Just went to firewall rules and set one up similar to the OPs except I selected "ANY(ALL)" as what to filter rather than "Any(TCP)" .

Applied that and that took my laptop off the net no problem

Code:

Wed, 2008-05-21 14:27:06 - TCP Packet - Source:10.0.0.35,4026 Destination:66.249.93.102,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:14 - UDP Packet - Source:10.0.0.15,1027 Destination:213.123.20.205,43962 - [Any(ALL) rule not match]
Wed, 2008-05-21 14:27:15 - TCP Packet - Source:10.0.0.35,4032 Destination:91.151.217.11,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:16 - TCP Packet - Source:10.0.0.35,4026 Destination:66.249.93.102,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:18 - TCP Packet - Source:10.0.0.35,4032 Destination:91.151.217.11,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:23 - TCP Packet - Source:10.0.0.35,4034 Destination:74.125.8.93,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:24 - TCP Packet - Source:10.0.0.35,4026 Destination:66.249.93.102,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:24 - TCP Packet - Source:10.0.0.35,4032 Destination:91.151.217.11,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:26 - TCP Packet - Source:10.0.0.35,4034 Destination:74.125.8.93,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:27 - UDP Packet - Source:10.0.0.15,1033 Destination:213.123.20.12,123 - [Any(ALL) rule not match]
Wed, 2008-05-21 14:27:29 - UDP Packet - Source:10.0.0.15,1027 Destination:213.123.20.204,43962 - [Any(ALL) rule not match]
Wed, 2008-05-21 14:27:30 - TCP Packet - Source:10.0.0.35,4036 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:31 - TCP Packet - Source:10.0.0.35,4038 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:32 - TCP Packet - Source:10.0.0.35,4034 Destination:74.125.8.93,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:33 - TCP Packet - Source:10.0.0.35,4036 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:34 - TCP Packet - Source:10.0.0.35,4038 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:36 - TCP Packet - Source:10.0.0.35,4039 Destination:91.151.217.11,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:39 - TCP Packet - Source:10.0.0.35,4036 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:39 - TCP Packet - Source:10.0.0.35,4039 Destination:91.151.217.11,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:40 - TCP Packet - Source:10.0.0.35,4038 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:40 - TCP Packet - Source:10.0.0.35,4026 Destination:66.249.93.102,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:44 - TCP Packet - Source:10.0.0.35,4040 Destination:74.125.8.93,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:44 - UDP Packet - Source:10.0.0.15,1027 Destination:213.123.20.205,43962 - [Any(ALL) rule not match]
Wed, 2008-05-21 14:27:45 - TCP Packet - Source:10.0.0.35,4039 Destination:91.151.217.11,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:47 - TCP Packet - Source:10.0.0.35,4040 Destination:74.125.8.93,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:51 - TCP Packet - Source:10.0.0.35,4041 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:52 - TCP Packet - Source:10.0.0.35,4042 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:53 - TCP Packet - Source:10.0.0.35,4040 Destination:74.125.8.93,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:54 - TCP Packet - Source:10.0.0.35,4041 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:55 - TCP Packet - Source:10.0.0.35,4042 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:27:59 - UDP Packet - Source:10.0.0.15,1027 Destination:213.123.20.204,43962 - [Any(ALL) rule not match]
Wed, 2008-05-21 14:28:00 - TCP Packet - Source:10.0.0.35,4041 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:28:01 - TCP Packet - Source:10.0.0.35,4042 Destination:216.239.113.186,80 - [Any(ALL) rule match]
Wed, 2008-05-21 14:28:14 - UDP Packet - Source:10.0.0.15,1027 Destination:213.123.20.205,43962 - [Any(ALL) rule not match]
Wed, 2008-05-21 14:28:14 - ICMP Packet - Source:10.0.0.35 Destination:212.58.251.195 - [Any(ALL) rule match]
Wed, 2008-05-21 14:28:29 - UDP Packet - Source:10.0.0.15,1027 Destination:213.123.20.204,43962 - [Any(ALL) rule not match]
Wed, 2008-05-21 14:28:29 - ICMP Packet - Source:10.0.0.35 Destination:212.58.251.195 - [Any(ALL) rule match]
Wed, 2008-05-21 14:28:31 - UDP Packet - Source:10.0.0.15,1033 Destination:213.123.20.12,123 - [Any(ALL) rule not match]
Wed, 2008-05-21 14:28:44 - UDP Packet - Source:10.0.0.15,1027 Destination:213.123.20.205,43962 - [Any(ALL) rule not match]

As you can see from the logs its dropping packets from the .35 address - laptop ip i wanted to test it with but allowing packets from other stuff just fine.

Yup that works fine. Just tried it.