Restrict access to all but one website using a firewall

Discussion in 'other firewalls' started by WSFfan, Jan 2, 2013.

Thread Status:
Not open for further replies.
  1. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
    How to allow connections to only one website using a firewall?You can also suggest some alternative methods to achieve the same.
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    What is it you're trying to restrict? Are you looking to restrict a single application or more than that?
     
  3. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
    I want to allow connection to my Banking website only(similar to Banking mode of Online Armor Premium)
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Well, here's my opportunity to post what I was reluctant to post some days ago :D ...This is how I did it with Chrome Portable:

    Setup:
    • Chrome browser – Stable release or Portable version
    • Windows 7 x64
    • Standard User account
    • MS EMET 3.5
    • Application Firewall (I use Jetico 2.0) that will alert and log connection attempts.
    Windows account type: Standard User account. This helps to apply the principle of “Least user privilege”. There is no need for the majority of people to run full time from an administrator account type.

    UAC: set slider to “Always notify”

    Microsoft EMET v3.5: Configure apps: enable all checkboxes for chrome.exe and GoogleUpdate.exe


    Harden Chrome: Settings >> +Show advanced settings. Configure the settings as follows:
    • Extensions: remove any listed
    • Plugins: Unless your bank’s website requires them, disable all plugins not required, especially java, flash and PDF viewers by typing in the address field >> chrome:plugins then <enter>. Click on “disable” to disable ALL plugins you think you won’t need.
    • Set Home Page to your bank’s home page
    • On startup: Open a specific page: >> Your bank’s home page URL eg: -http://www.rbcroyalbank.com/personal.html (omit the “-“ prefix)
    • Privacy: enable> Enable phishing and malware protection clear > Use a web service to help resolve navigation errors, Use a prediction service to help complete searches and URLs typed in the address bar, Automatically send usage statistics and crash reports to Google
    • Passwords and forms: clear> both checkboxes
    • Content Settings: enable> Block third-party cookies and site data (but allow exceptions for your bank’s URL’s)
    • Javascript >> Do not allow any site to run javascript >> Manage Exceptions >> add the required bank’s URL’s, eg: -https://[*.]www.rbcroyalbank.com:443, -http://www.rbcroyalbank.com, -https://[*.]www1.royalbank.com:443
    • Images: [olor=darkblue]enable>[/color] Do not show any images >> Manage exceptions >>add your bank’s URL’s (same as with javascript exceptions)
    • Plug-ins: enable> Block all

    Firewall:
    *Note: this security restriction is optional. It takes some considerable time and effort to set up, but it will provide absolute control over where the browser is allowed to connect to, in this case only your bank’s required ip addresses. Once the rules are created, they can be exported/saved, so they won’t have to be re-created.

    I have found that many of the ip addresses needed are not only the bank’s, but those of Amazon, Google, Verisign, my ISP’s, and a few others, but they are all legitimate and required for the bank website’s full functionality – at least when using Chrome browser.

    • Remove any current rules for Chrome and set the firewall to alert on its connection attempts.
    • open Chrome to bank’s website and allow all connection attempts with permanent granular rules for remote ip address and ports. Don’t worry about local ip address/port connections. Remote ports should only be 80 or 443.
    • continue above step when signing into your account
    • close Chrome, re-open and repeat previous two steps restricting single ip addresss to single remote ports, and repeat this process 2-3 more times. You are probably going to see a lot of legitimate connection attempts for your bank's web site.
    • Now if your firewall will allow subnet mask entries, change all the IP addresses to Class B types by keeping the first two octets the same, changing the last two to “0”, and then use a “/255.255.0.0”. For example, a single IP address of: 150.200.45.15 will be changed to: 150.200.0.0/255.255.0.0
    • Jetico firewall v2, for example, allows IP addresses with subnet masks, and you will probably find that some other software application firewalls allow them too.
    • Use these IP w/subnet mask entries and replace the single IP address for the current rule, then delete any other previously created single ip rules that the ip range rule will cover. IOW, if you have four rules to remote port 80 with: 74.125.46.25, 74.125.42.30, 74.125.40.128, 74.125.50.200, then the subnet mask of 74.125.0.0/255.255.0.0 will cover them all, so you can eliminate them all with one rule of
      Code:
      remote TCP = 74.125.0.0/255.255.0.0, remote port = 80
      . Or
      Code:
      remote TCP = 74.125.0.0 – 74.125.255.255, remote port= 80
      Important! Use the subnet mask or IP address range only, when finalizing your rules! - attempting to maintain single IP address rules will require far too much time and effort.
    • Finally, depending on how the firewall processes rules, create a “Block” or “Reject” rule where needed only after you are sure you’ve created all the necessary “Allow” rules for the bank’s website to function properly.
    You only need to create a small collection of single ip address rules in the beginning stages, then convert them to Class B subnet ranges. Hope this makes sense.

    Note

    You can try to maintain single IP addresses. Depending on what's necessary for reliable connection to your bank's website, including sign-in page, it may work for you without the constant hassle of updating IP addresses. IMO, it's easier and still very secure to convert the IP addresses to Class B ranges.

    Alternatively if using Chrome, you could try m00nbl00d's method of using the command line switch. If you search his name and command line switch there are posts found on it.
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Would just like to add that using Google Chrome command line switch --host-rules won't work (at least, for now) if your bank is using IP ranges, or in other words way too many IPs. But, if it uses very few IPs, like some banks do, then it will work just fine. :)


    @ wat0114

    Come'on you got rid of Windows firewall? :argh: :p ;) (I kinda miss the alerts too and the nice logs. :D )
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Oh, I didn't know that, thanks for the clarification!

    Oh no, not really gotten rid of it, just using Jetico for a while to build a very comprehensive ruleset which I can later apply to Windows firewall whenever I go back to it :) The trouble with Win firewall is it doesn't allow use of wildcards or application groups, like Jetico, for applications.

    eg:
    Code:
    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_*.exe
    ...very handy for this type of application.
     
    Last edited: Jan 2, 2013
  7. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469


    orrrrrrrrrrrr

    install peerblock, block every ip except internal lan and the ip of the website you want to visit.
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Peerblock appears to work off a "blacklist" concept, using lists of known bad IP addresses to compare the ones you want to connect to against the lists.
     
Loading...
Thread Status:
Not open for further replies.