Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 6220 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Tips on how best to block web access from Mac hosts

stego41

Running latest xg firmware is on Intel  core 2 duo with 4 gb ram.

Curious to know how best to block access from certain Mac hosts/list using an access time?

Running a basic setup, would simply like to block kids iOS devices during the week and enable Chromebook web access for homework time.

Currently using firewall policies at top of list ... But didn't see where I could use access times?? Eg deny during homework time ...custom access time

Still trying to learn the ropes with xg firewall after spending a little over a year with UTM 9

Thanks



This thread was automatically locked due to age.
  • +2

    There's no operating system based access controls you can append to rules, instead you should define 'clientless' objects within your XG with the kids devices' MAC addresses associated to each different clientless object.

    Now that you've identified each unique device you can associate these devices within your security rules to block or allow them during certain times.

    Additionally, within your Security Rules, within the 'Source' definition section you can associate a 'During Scheduled Time' element which will enforce the rule during the times you define.  There are many presets you can use (for example, work hours, weekends) but you can add one to your liking.

    You should be then able to build rules that block your kids iOS device during home work time (LoL - poor kids) and then only allow then to use other approved devices...

    Good luck with your kids, I hope they don't have physical access to the XG as I'm sure they'll kick it and then blame the family pet ;)  Mine did...

  • +1

    Hi,

    Configure a FW-rule, define MAC address in the Source Zone and the Scheduled time for the rule to be active. Place the rule on top.

    You can also configure the custom filter actions to allow and deny specific categories.

    I would like to mention that instead of completely relying upon XG to take care of restrictions, you must step in and personally keep an eye.

    Thanks

  • 0 in reply to sachingurung

    Hi,

    Thanks! This is essentially what I am doing but seemed a little clunky to me.

    For instance, I want the Chromebooks to have full access during homework time but not any other time.

    So I created a top rule as you describe above for the Chromebook Mac hosts during scheduled time for homework.

    I noticed though that outside of homework time the Chromebooks still had full access, since the next rule in line was full access for any source network. So I had to create another time just below to block all access for all the time for the Chromebooks.

    Was trying to figure out where you can use the preset "access times"... Eg deny during weekdays, allow during weekdays etc.

    Seems only the defined "schedules" are available in the drop downs when selecting time slots.  Maybe I'm missing something.

    And I agree I don't want to fully rely on xg to restrict, but with a 14 and 12 year old it's increasingly difficult, especially when their schools now fully rely on the Google infrastructure for their schooling. (classroom, Google drive, Google docs, hangouts etc..)

    Which is why I was opening up the Chromebooks a but more so they could so their homework...but as we all we know, they're not doing homework all the time or sometimes

    Joys of parenting in a digital age.

  • 0 in reply to stego41

    Hi,

    Bravo, you did exactly what is required. An explicit deny rule is required below the scheduled FW-rule to deny the traffic after the schedule policy sets the rule off. This is required when there is a rule that is defined to allow the traffic through all the time. You can define custom schedule policies by navigating through the options

    Just click on the create-new option in the drop-ardown for schedules. You can create a custom schedule directly.

    Thanks