Prevent a machine from making outbound connections, but allow incoming


One of the Linux boxes on our LAN was being used as a teaching tool a few months ago. A group of newbies had permission to login via SSH, and tinker with GCC and various other Linux tools.

We wanted to make sure they couldn't use the box to make outgoing connections to the Internet (because we didn't want them surfing for pr0n with Lynx, or portscanning people, or launching DOS attacks from our machine).


Our first thought was to simply drop all outgoing packets sent from the Linux box. Unfortunately, that would prevent the newbies from logging in at all (since all server responses would be dropped at the router).

Instead, we needed to block outgoing connection attempts (SYN packets), while still allowing established connections to transmit data out to the Internet.

Login to your Freesco box as root (via telnet). Type:

cd /mnt/router/rc
edit rc_masq
Find the line that says "ban() {", and on the line just after it, type the following:
ipfwadm -F -a reject -S <ipaddress> -y -o
Replace <ipaddress> with the IP address of the machine you want to prevent from connecting to the Internet. Next, restart your nameserver:
/mnt/router/rc/rc_named restart
And you're done. At this point, the blocked machine can't make outgoing connections, but it can still accept incoming connections just fine.

Warning: Do not rely on this if you're working with advanced users. There are many ways to circumvent this form of connection blocking (eg: sending packets without the SYN bit set). Our users were fairly clueless, so we felt that we were safe enough with this level of protection. If you're opening your machine to the public, you're going to need far better protection than this.

But if you just want to prevent your kid from surfing for pr0n from his Windows machine, then this should suffice. :)