How do I Block Layer 7 (DPI) Applications?

Article #:

Product:

Version:

KB-16

All

All

Summary:

How to block Layer 7, or Deep Packet Inspection (DPI), applications through the firewall rather than the web filter.

Problem:

Blocking applications through the web filter is a bit fiddly. You either need to know the domains and URLs used by the application, or block the Guardian category it belongs to. This does have the advantage of presenting a block page to the user, if required and configured, advising them of the block. However, the tricky thing with apps that communicate over a network outside of a browser is that the majority of them do not adhere to proxy settings, and typically use ports for communication (which cannot be added to Guardian categories).

With the Firewall, you can drop or reject Layer 7 applications traffic based on their signature, rather than IP address or port number.

Note: Your Smoothwall must be licensed for Layer 7 to make full use of application blocking. For more information, contact your Smoothwall representative. To view a full list of those applications available with and without a Layer 7 license, see How does Smoothwall Classify Layer 7 Applications?.

Solution (Pre-Inverness Release):

  1. Go to Networking > Outgoing > Ports.
  2. Expand a relevant port rule.
  3. Click Edit for the Blocked services entry.
  4. Select the relevant Services (applications).
  5. Go to Networking > Outgoing > Policies.
  6. Add a new policy for the Port rule you added the application to.

For more information, go to https://help.smoothwall.net/Hearst/Content/ui/rule/portrules.htm and https://help.smoothwall.net/Hearst/Content/modules/rule/cgi-bin/rule/sourcerules.htm.

Solution (Inverness Release Onwards):

  1. Go to Network > Firewall > Firewall rules.
  2. Create a firewall rule, noting the following:
Applications (Apps) — Select those applications that, when detected, have their network traffic blocked.
Action — From the drop-down list, select either Drop to ignore all requests from the specified applications, or Reject to send an ICMP connection refused (ICMP destination-unreachable) message back to the originating IP address and no further communication is possible.

The above creates a basic application block rule.

Tip: The rules contained in the Firewall rules table are applied in a top-down approach (once a match is found, no further searching is made). It is recommended you create a section at the top of the table specifically for your network-specific block rules so they are not overridden by another later rule, and add the application blocking rule to it.

With the new consolidated firewall, you can also:

  • Specify the Source IP addresses to only block applications when traffic originates from those IP addresses. Leave this parameter blank to match traffic coming from all IP addresses.
  • Specify the Inbound interfaces to only block applications when traffic originates from those interfaces. Leave this parameter blank to match traffic coming from any interface, or combine this parameter with Source IP addresses to match traffic using the interface but only if it originates from those addresses.
  • Specify the Destination IP addresses to only block applications when traffic is routed to those IP addresses. Leave this parameter blank to match traffic going to all IP addresses.
  • Specify the Outbound interfaces to only block applications when traffic originates from those interfaces. Leave this parameter blank to match traffic coming from any interface, or combine this parameter with Destination IP addresses to match traffic using the interface but only if it is going to those addresses.
  • It is unlikely you would need to specify a Service when creating a block rule for an application. However, if required, you can block a particular port used by the specified Applications (Apps).
  • Specify the user Groups for whom use of those applications is blocked.
  • Choose whether to Log matching traffic to the Firewall log.

Note: You cannot create an Accept (Action) rule that allows specific applications. All applications are allowed through by default.

For a detailed description of how to create and manage firewall rules, go to https://help.smoothwall.net/Inverness/Content/ui/admin/ipfilter/forward.htm.

Tip: Use the Application Bandwidth Statistics report to help identify unwanted application traffic — see https://help.smoothwall.net/Latest/Content/cgi-bin/reports/report-application_bandwidth_statistics.htm.

Attribution:

Last updated:

Author:

Contributions by:

09th March 2017

Samantha Nair

 

 

Copyright © 2000-2016 Smoothwall All rights reserved.