Skip to main content
d3xmeister1
d3xmeister1
Visitor III
March 22, 2025
Solved

How to block internet except one address (or IP) without using web filtering

  • March 22, 2025
  • 1 reply
  • 1083 views

Hi, the title says it al, how to block internet except one (or two) address (or IP) without using web filtering. We don't want to make a rule to enable internet then filter, that's something our auditor does not allow, so we have to make a rule that denies internet, then add exceptions.

I tried to make a firewall policy from the Internet interface to the VLAN we want to block for internet, but then if duplicate the same rule but this time add one previously created FQDN address to allow, it does not work, all internet is still blocked

Best answer by Toshi_Esumi

Opppsite. You want to set exceptions first from the VLAN to the internet interface, then block "ALL" to "ALL" for the same interface pair for the same direction.

Toshi

1 reply

Toshi_Esumi
SuperUser
Toshi_EsumiAnswer
SuperUser
March 22, 2025

Opppsite. You want to set exceptions first from the VLAN to the internet interface, then block "ALL" to "ALL" for the same interface pair for the same direction.

Toshi

d3xmeister1
d3xmeister1Author
Visitor III
March 22, 2025

So what I was doing wrong was to create a block rule from the VLAN interface to that X1 Internet interface, then try to make exceptions.

This is because without a rule from the VLAN to the X1, internet won't work anyway, so all I need is to create the exceptions.

 

Correct ?

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
March 23, 2025

Yes. You're right. You just need to create the policy in-to-out to allow only traffic you want to allow. Denying the rest is done by "implicit deny" policy 0.

Toshi

Terms & ConditionsAccessibility statement