Now that the firewall is blocking all outbound traffic, we need to set up some firewall rules to allow some traffic to pass.
In this case, we want to setup a rule to do the following:
- Allow web requests (ports 80 and 443) to pass
- Allow requests only from the GREEN network to pass
- Allow requests to only go to certain countries
Hang on—certain countries?! Yes! Absolutely!
It turns out that a lot of malware, ransomware, and other hacking attacks start by having the unsuspecting victims navigate to a malware-infested web resource. This could be a fake version of their banking site or some other web resource of interest to the victim. The kicker is that a lot of times these web resources are not even located in the same country as the victim!
There really is no reason to allow wide-open access to the entire world. It’s highly likely that the majority of web resources being used in a particular home or small office is relatively small and can easily be identified. While bad guys can be anywhere—from next door to halfway around the world—there are definitely some countries that house a disproportionate amount of malware-laden sites and attack origination.
What’s more, if a web resource located in one of the restricted countries is required, it can be made an exception to the rule while still blocking all other traffic to the country in general.
As IoT becomes more ubiquitous, the malware threats like IoT botnets can be mitigated if these devices aren’t allowed free access to the entire planet. In some cases, these devices should be limited to specific web resources and addresses, as they really have no need to talk to anything else. That’s where a firewall can really help.
Create a GeoIP Group
Navigate to Firewall->Firewall Groups and add a new GeoIP group. In the demonstration image above, the group Allowed_Outbound_Countries was created. Then add some favourite countries. In the above example, Australia, Canada, Great Britain, and the US were added to the group.
Create a Services Group
Navigating to the Firewall Services Groups, a new service group can be created. In the example above, a service group covering web browsing traffic (ports 80 and 443, remember?) can be created.
Create a Firewall Rule
Navigate to Firewall Rules and create a new rule.
- In the source area, select the GREEN network from the Standard Networks dropdown list.
- In the Destination area, select the GeoIP rule that was created earlier.
- In the Protocol area, select the Service Group that was created earlier.
- Select the Accept action.
That’s it! Save the new rule, press the update rules button that appears at the top of the rules screen, and the new rule should be active.
Test Access Again
Open a browser and try navigating to a website again. If that site is located in one of the allowed countries, it should display. If the site is not located in one of the countries in the GeoIP group, then the browser should eventually time out like it did earlier. This is the firewall working!
There are other types of rules that can be created, allowing very precise and specific control over what internal devices can access external web resources, and vice-versa. If two or more segments are implemented, the same types of rules can be created to control access between segments as well. This is one way of preventing malware spreading across a network like WannCry or Petya did.