Block everything except a few https-websites


#1

Our client has the Max HD4 router. Because they are in the business of online assessments they want to block access to the internet except to a few predefined domains.
Using the firewall rules a valid rule has been added. The problem is that Chrome (and other webbrowsers) are doing a verification of the SSL certificate of the domain. Because of the blocking of the validation-request the users needs to wait about 100 seconds before de cert-check of Chrome times out.

Can you help me with valid firewall rules that we can add that


#2

Hi,

Inorder to achieve what you need, basically you need to study what are the traffics will be generated while accessing to the e.g domain http://www.domainname.com and https://www.domainname.com. Single domain that user are trying browse may involve multiple back end URLs need to be allowed in-order the webpage able to load successfully. Those URLs usually is transparent to end users.

Unless the website is a simple webpage (without involved any back end URLs), then I will say you can easily define a domain name to allow the traffics. Else if this is a complex website then I would say this is the tough jobs. You need to study the URLs involved & define the domain rules to allow the websites. Do note that you need to maintain the domain rules from time to times base on the destination servers as the static domain rules defined will not reflect to the changes for the destination servers.

Beside that, do note that, you need to study also the sub-domain involve for the domain URLs that the user need to browse. For example, after the webpage (https://www.domainname.com) successful loaded and users allow to sign-up/login from the loaded page, the sub-sequence for the action may refer to other sub-domain or domain, thus you need to also put those domain/sub-domain under consideration when you define the allow rules for the domain.

To analyze the domain URLs involved, you can use HTTP/URL monitor tools in the market to study the requires URLs:

Example:
https://www.httpwatch.com/

Thank You


#3

Good Day:

What u can do its to enable the firewall logging and then run a clean connection to see what kind of protocol, port and destination the device need and then add firewall rules to allow that traffic and deny the rest.

AG