Block internet access for one computer, but allow LAN access

[antithesis]

Quickie for the tech boffins -

 

I have a Mac Mini that I use as a file server on the LAN. It does things like automatically move files from folder A to NAS folder B, compress video in Handbrake, rename files and organise directory trees etc. 

 

Given my level of paranoia about ransomware and zero current viable apps to address it on a Mac, this is the only computer on the network with write permissions to a number of NAS directories. All WAN-enabled computies (all Macs) have read-only access to those folders. 

 

I have my LAN physically separated from the internet using a series of switches. One ethernet cable is then piped from the main switch into the Netduma and only the Netduma is connected to the cable modem.

 

So here's the big question - can Device Manager on the NetDuma block WAN access for a specific device without affecting its access to the LAN? The R1 is handling DHCP for the LAN, so I'm assuming the big red Block button will block it locally too.

 

If that won't work, any other suggestions? It's conceptually really simple - full LAN access, no WAN access for one specific device, but I'm not sure the best way to go about it.

[ColonicBoom]

Good question.

Nearly scalped me as it went over my head 

 

Moved it to technical area.

[iAmMoDBoX]

Quickie for the tech boffins -

 

I have a Mac Mini that I use as a file server on the LAN. It does things like automatically move files from folder A to NAS folder B, compress video in Handbrake, rename files and organise directory trees etc. 

 

Given my level of paranoia about ransomware and zero current viable apps to address it on a Mac, this is the only computer on the network with write permissions to a number of NAS directories. All WAN-enabled computies (all Macs) have read-only access to those folders. 

 

I have my LAN physically separated from the internet using a series of switches. One ethernet cable is then piped from the main switch into the Netduma and only the Netduma is connected to the cable modem.

 

So here's the big question - can Device Manager on the NetDuma block WAN access for a specific device without affecting its access to the LAN? The R1 is handling DHCP for the LAN, so I'm assuming the big red Block button will block it locally too.

 

If that won't work, any other suggestions? It's conceptually really simple - full LAN access, no WAN access for one specific device, but I'm not sure the best way to go about it.

 

I don't know much about how it works... but I think a solution could be using Little Snitch

 

https://forums.obdev.at/viewtopic.php?f=1&t=9301

[antithesis]

I don't know much about how it works... but I think a solution could be using Little Snitch

 

https://forums.obdev.at/viewtopic.php?f=1&t=9301

 

LittleSnitch is an app firewall. As invaluable as LS is, it doesn't prevent an inbound network intrusion, it's job is to block outgoing internet calls from apps.

 

If ransomware infected the network via an email attachment or web nasty, a firewall won't help in the slightest. Hence the need to block all WAN access on the one machine that has write privileges to everything, to prevent infection or intrusion in the first place.

 

I stack LittleSnitch with Murus (PF Firewall GUI), Vallum and Ransomwhere, which is as tight as I can get it from a software perspective, but it's not as simple as a WAN block.

 

I can tie internet access on the Mini to a VPN connection, allow WAN access only through that via a killswitch and leave the VPN disconnected, but that will bork my LAN access in the process as the killswitch disables the network interface.

 

Equally, some Murus rules should do the job (and may have to), but there's gotta be something easier and less susceptible to user error.

 

What I'm after is a solution that'll simply block internet access to / from this machine while permitting LAN access on demand. I can see equal application in moderating my kids' web access while still being able to use the LAN, so there's gotta be some idiot-proof way to do this. Routers should be capable of this and are perfectly positioned in the chain to do so.

 

If the Mini wasn't tied into the R1's DHCP, I reckon Device Manager would do the job. Hence the query - does Block block WAN access only, or does it block WAN + LAN? 

[iAmMoDBoX]

If the Mini wasn't tied into the R1's DHCP, I reckon Device Manager would do the job. Hence the query - does Block block WAN access only, or does it block WAN + LAN? 

 

Have you tried to just block it and see what happens? If I remember correctly, I accidentally blocked my phone and it still had wifi from my access point but it had no internet connection. My R1 is the DHCP server and my devices connect through wifi to the AP.

 

I could test this if you'd like me to. Transferring files over my LAN without WAN access on the phone.

[antithesis]

Have you tried to just block it and see what happens? If I remember correctly, I accidentally blocked my phone and it still had wifi from my access point but it had no internet connection. My R1 is the DHCP server and my devices connect through wifi to the AP.

 

I could test this if you'd like me to. Transferring files over my LAN without WAN access on the phone.

 

No need to test it, I can do that myself (slight ball-ache, the Mini is headless and in a locked cage). I guess I'm kinda looking for something definitive from one of the devs.

[iAmMoDBoX]

No need to test it, I can do that myself (slight ball-ache, the Mini is headless and in a locked cage). I guess I'm kinda looking for something definitive from one of the devs.

 

I actually tested this real quick and it seems to only block certain things...? So I couldn't get to any outside website or service like netflix or youtube... My VPN wouldn't connect... But I could still send iMessages over wifi even with airplane mode off? Leads me to believe that certain ports are not being blocked. I believe iMessage uses port 80, 443, and 5223 which is kinda odd since 80 and 443 are normal ports.

 

I'm sure we can get an answer from Netduma themselves.

[antithesis]

I actually tested this real quick and it seems to only block certain things...? So I couldn't get to any outside website or service like netflix or youtube... My VPN wouldn't connect... But I could still send iMessages over wifi even with airplane mode off? Leads me to believe that certain ports are not being blocked. I believe iMessage uses port 80, 443, and 5223 which is kinda odd since 80 and 443 are normal ports.

 

I'm sure we can get an answer from Netduma themselves.

 

It tentatively sounds like it might do what I want, though I'd like a slightly better understanding of what Block is doing to be certain.

 

Thanks Mod!

[iAmMoDBoX]

It tentatively sounds like it might do what I want, though I'd like a slightly better understanding of what Block is doing to be certain.

 

Thanks Mod!

 

Not a problem... Still kinda weird how iMessage can send and receive messages even though it is being blocked.

 

The only other extreme solution I could think of would be a hardware firewall

[antithesis]

By jove, I think it works...

 

Mac Mini is Blocked via NetDuma. No interwebs, according to LittleSnitch's Network Monitor. Full LAN access.

 

It'd still be handy to know what's being blocked.

[Netduma Fraser]

Very interesting question and sounds like you've found your answer! It should block the internet completely, it may not block a site/service that you're on at the time of blocking until you quit and try to access it again. You should still be able to access the interface as well from that device.

[iAmMoDBoX]

Very interesting question and sounds like you've found your answer! It should block the internet completely, it may not block a site/service that you're on at the time of blocking until you quit and try to access it again. You should still be able to access the interface as well from that device.

 

Could be why iMessage still worked for me... I'll try it again and reboot the phone and router to see what happens.

[iAmMoDBoX]

Very interesting question and sounds like you've found your answer! It should block the internet completely, it may not block a site/service that you're on at the time of blocking until you quit and try to access it again. You should still be able to access the interface as well from that device.

 

So I blocked my phone, disconnected it from wifi... rebooted the Netduma, connected my phone... sent an iMessage perfectly fine, but no website or apps will connect. Really odd.

[Netduma Fraser]

So I blocked my phone, disconnected it from wifi... rebooted the Netduma, connected my phone... sent an iMessage perfectly fine, but no website or apps will connect. Really odd.

 

That is odd, not sure about that one!

[antithesis]

Just a quick follow-up a couple of weeks on...

 

Firstly, the block feature of Device Manager is working perfectly for my needs. It's super-quick and easy to knock a computer completely offline while maintaining full LAN access, which is ideal for managing internet access for my ankle-biters just cutting their teeth on their first computers. That's exactly what I want, it's a hidden gem and I trust it'll be retained for Duma OS.

 

Secondly, for any other Mac users among us, I've stacked Murus (a GUI for the in-built OSX PF firewall) with LittleSnitch (app firewall) and Little Flocker as a ransomware solution. Vallum is an alternative to LittleSnitch that works hand-in-hand with Murus, but I prefer LittleSnitch as I've been using it since day dot and it offers better information on source / destination requests. The only issue I had was manually setting up port access for Plex in Murus, everything else was covered by a setup wizard in Murus or rule prompt in the respective "Little" apps.

 

My Macs (8 in the house) are all running smoothly after the initial app rulesets were setup, with no noticeable system overhead even on circa 2009 machines (0% reported CPU usage). I'm a system security control freak and am prompted whenever any unrecognised inbound or outbound network connection is made, as well as any file or app access is requested by any process on local or network drives. A couple of clicks whenever something happens and the rules are updated, never to bother me again. And if anything nefarious (or not) pops up, it is instantly blocked, before there's a chance to read let alone encrypt a file.

 

I tried a bunch of other Mac anti-ransomware solutions built into anti-virus packages, but they all chewed up a tonne of system resources (10-20% CPU). I ended up settling on Sophos for free anti-virus, left the ransomware stuff to Little Flocker, the system firewall to Murus and app firewall to LittleSnitch. My primary Mac does have Intego VirusBarrier and NetBarrier installed, but it's entirely redundant. Everything is locked down tighter than a nun's...virtues...with little disruption to user interaction on any machine. 

 

Note that Little Flocker was recently purchased by F-Secure and rebadged as XFence. I snagged a free copy via their beta testing program. It's a really powerful & robust app that ended up being the perfect anti-ransomware tool to complete my security setup. Like LittleSnitch, it takes a little brainpower to ensure you're blocking the right stuff, so it's not ideally suited to the unwashed masses. But if you have an inkling about what you're doing on Mac, it's bloody great.

[iAmMoDBoX]

Just a quick follow-up a couple of weeks on...

 

Firstly, the block feature of Device Manager is working perfectly for my needs. It's super-quick and easy to knock a computer completely offline while maintaining full LAN access, which is ideal for managing internet access for my ankle-biters just cutting their teeth on their first computers. That's exactly what I want, it's a hidden gem and I trust it'll be retained for Duma OS.

 

Secondly, for any other Mac users among us, I've stacked Murus (a GUI for the in-built OSX PF firewall) with LittleSnitch (app firewall) and Little Flocker as a ransomware solution. Vallum is an alternative to LittleSnitch that works hand-in-hand with Murus, but I prefer LittleSnitch as I've been using it since day dot and it offers better information on source / destination requests. The only issue I had was manually setting up port access for Plex in Murus, everything else was covered by a setup wizard in Murus or rule prompt in the respective "Little" apps.

 

My Macs (8 in the house) are all running smoothly after the initial app rulesets were setup, with no noticeable system overhead even on circa 2009 machines (0% reported CPU usage). I'm a system security control freak and am prompted whenever any unrecognised inbound or outbound network connection is made, as well as any file or app access is requested by any process on local or network drives. A couple of clicks whenever something happens and the rules are updated, never to bother me again. And if anything nefarious (or not) pops up, it is instantly blocked, before there's a chance to read let alone encrypt a file.

 

I tried a bunch of other Mac anti-ransomware solutions built into anti-virus packages, but they all chewed up a tonne of system resources (10-20% CPU). I ended up settling on Sophos for free anti-virus, left the ransomware stuff to Little Flocker, the system firewall to Murus and app firewall to LittleSnitch. My primary Mac does have Intego VirusBarrier and NetBarrier installed, but it's entirely redundant. Everything is locked down tighter than a nun's...virtues...with little disruption to user interaction on any machine. 

 

Note that Little Flocker was recently purchased by F-Secure and rebadged as XFence. I snagged a free copy via their beta testing program. It's a really powerful & robust app and ended up being the perfect anti-ransomware tool to complete my security setup.

 

I don't know how their Mac version is, but on windows https://www.malwarebytes.com/mac/ is absolutely necessary.

[antithesis]

I don't know how their Mac version is, but on windows https://www.malwarebytes.com/mac/ is absolutely necessary.

 

It's on-demand scans only on Mac. Useless unless you have already have a malware infection and you have to be a numpty to get one on a Mac.

 

Malwarebytes has a beta anti-ransomware app that'd be worth checking out on PC.

[iAmMoDBoX]

It's on-demand scans only on Mac. Useless unless you have already have a malware infection and you have to be a numpty to get one on a Mac.

 

Malwarebytes has a beta anti-ransomware app that'd be worth checking out on PC.

 

That's what I figured because it's fairly new compared to their windows software.