0% found this document useful (0 votes)
1 views

firewall policy between windows and linux

Sophos Firewall download restriction policies apply to all devices, including Linux machines, if their traffic passes through the firewall. Users can create rules to block access to network printers and restrict internet access based on user authentication or static IPs. Additionally, integration with Active Directory allows for bandwidth limits and user-based firewall rules to manage internet access effectively.

Uploaded by

maulin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
1 views

firewall policy between windows and linux

Sophos Firewall download restriction policies apply to all devices, including Linux machines, if their traffic passes through the firewall. Users can create rules to block access to network printers and restrict internet access based on user authentication or static IPs. Additionally, integration with Active Directory allows for bandwidth limits and user-based firewall rules to manage internet access effectively.

Uploaded by

maulin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

1

Yes, download restriction policies configured in Sophos Firewall will also affect Linux-based
machines (like Ubuntu), as long as those machines are connected to the same network and
their traffic passes through the firewall.

🔐 Here's How It Works:

Sophos XG Firewall applies policies at the network level, not based on the operating system.

✅ If you have a Download Restriction Policy such as:

 Blocking files based on file types (e.g., .exe, .zip, .iso, .tar.gz)

 Blocking based on categories (e.g., “Software Downloads” or “File Sharing” sites)

 Blocking large file downloads (e.g., >100 MB)

 Blocking downloads via Web Filtering or Application Control

🔁 Then these restrictions apply to any device behind the firewall — including Linux, macOS,
Android, and iOS — not just Windows.

💡 Example:

Suppose you block .zip and .exe downloads in Sophos:

 ✅ Windows user cannot download .exe from any website.

 ✅ Ubuntu user cannot download .zip or .tar.gz from any browser (e.g., Firefox, Chrome).

 ✅ Even wget or curl on Linux may be blocked if the firewall inspects HTTP/S traffic.

Sophos Can Enforce This via:

Feature Applies to Linux? Notes

Web Filtering (HTTP/S) ✅ Yes Blocks by category or URL

File Type Filtering ✅ Yes Blocks by MIME type or extension

Application Control ✅ Yes Blocks protocols like BitTorrent

IPS/IDS ✅ Yes Detects protocol misuse

SSL Inspection ✅ Yes Needed for HTTPS deep scanning


2

Feature Applies to Linux? Notes

🛑 Limitations

If SSL inspection is not enabled, Sophos may not be able to detect file types over HTTPS, and
downloads might slip through—on any OS.

Also, if a Linux device is:

 Bypassing the firewall (e.g., static IP, different gateway)

 On a VLAN or network segment not subject to rules

Then policies might not apply.

✅ Summary

Yes — a Sophos Firewall download restriction policy applies to Linux machines just like it does
to Windows machines, if their traffic goes through the firewall and the policy is properly set.

Want help checking if your Ubuntu machine is affected or bypassing the firewall? I can help with
network diagnostics or testing commands.

Attach

Voic

Yes, you can set printer restriction policies in Sophos Firewall, but with some limitations—
because a firewall controls network traffic, not printer functions directly.

✅ What You Can Do with Sophos Firewall to Restrict Printers:

1. Block Access to Network Printers

You can create firewall rules to:

 Block specific IPs or MAC addresses from accessing printers.

 Block certain devices (e.g., guests, specific users) from printing.

Example:
3

If your printer is at 192.168.1.50, you can:

 Block all traffic to 192.168.1.50 except from authorized IPs.

 Or create a rule like:

plaintext

CopyEdit

Source: Guest Network → Destination: Printer IP → Action: Deny

2. Control by Port/Protocol

Most printers use:

 TCP 9100 (raw printing)

 TCP 515 (LPD)

 TCP 631 (IPP)

 SMB (TCP 445)

 AirPrint (mDNS, Bonjour, port 5353)

You can block traffic on these ports to stop unauthorized devices from printing.

3. Create Application Control Rules

Sophos can detect some printing protocols via Application Control and block them.

4. Segregate Networks (Best Practice)

 Place printers in a separate VLAN or zone.

 Use firewall rules to allow only specific devices or users to access that zone.

To restrict a list of users from accessing the internet through a Sophos Firewall (e.g., XG/XGS
series), you can do this using User-based firewall rules or policies. Here’s a complete step-by-
step guide depending on how users are authenticated in your network.

🔐 Step-by-Step: Restrict Specific Users from Internet Access

✅ Option 1: If You Use User Authentication (Best Method)

If your users log in via:


4

 Active Directory (AD)

 Captive Portal

 STAS (Sophos Transparent Authentication Suite)

 Sophos Client Authentication Agent

You can create firewall rules or web policies based on users or groups.

🔧 Steps:

Step 1: Ensure User Authentication is Set Up

Go to:
Authentication > Services

 Confirm users are authenticated (via AD, STAS, or Captive Portal)

Step 2: Create a User Group (Optional)

Authentication > Groups

 Create a group (e.g., BlockedUsers)

 Add your users to this group (manually or via AD group sync)

Step 3: Create a Firewall Rule to Block Internet Access

Go to:
Rules and Policies > Firewall Rules

 Click “Add Firewall Rule” → “User/Network Rule”

Set:

 Source Zone: LAN

 Source Network/User: Select your blocked users or group

 Destination Zone: WAN

 Action: Deny

 Services: Any (or just HTTP/HTTPS)

💡 Move this rule above any allow rules — firewall rules are evaluated top-down.
5

✅ Option 2: Without Authentication (IP or MAC-based)

If users are not logging in, and no AD or Captive Portal is used, then:

You can block by:

 Static IPs

 MAC addresses (less secure, spoofable)

🔧 Steps for IP-based Blocking:

1. Assign static IPs to the users you want to restrict (or reserve DHCP leases).

2. Go to Rules and Policies > Firewall Rules

3. Create a Deny rule:

o Source: The user’s IP or IP range

o Destination: WAN

o Action: Deny

📝 Add a description like "Block Internet for User X"

🚫 Optional: Block with Web Filter Policy

If you want to allow LAN access but block web browsing only:

1. Go to Web > Policies

2. Create a new policy that blocks all web categories or critical ones (e.g., "All Internet")

3. Apply that web policy to a firewall rule for the blocked users or group.

✅ Summary Table

Method Best For How

User-based firewall Authenticated users (AD/STAS/Captive


Block via user/group
rule Portal)

IP-based rule Static devices without login Block specific IPs


6

Method Best For How

MAC-based rule DHCP or static MAC list (less secure) Block via MAC in device list

Assign a “Block All” web


Web policy Limit web only, not full internet
policy

In an Active Directory (AD) environment with a Sophos XG/XGS Firewall, you can restrict
internet access and apply bandwidth limits per user or group using user-based firewall rules,
traffic shaping, and authentication integration.

✅ Goal: Restrict Internet Access + Apply Bandwidth Limits for AD Users

✔️Requirements:

 Sophos XG/XGS Firewall

 Active Directory integration configured

 Users authenticated through:

o STAS (Sophos Transparent Authentication Suite) – recommended

o Captive Portal

o Sophos Authentication Agent (SAA)

🔧 Step-by-Step Configuration

STEP 1: Integrate Sophos Firewall with Active Directory

Go to:
Authentication > Servers > Add

 Select Active Directory

 Enter:

o Domain controller IP

o Admin credentials
7

o Base DN (e.g., DC=yourdomain,DC=local)

✅ Test connection to make sure it works.

STEP 2: Enable STAS (Sophos Transparent Authentication Suite)

On the Domain Controller:

1. Install the STAS agent (available in Sophos Firewall).

2. Configure it to monitor logon events and send user info to the firewall.

3. In the firewall, go to Authentication > STAS and add the STAS collector.

STEP 3: Sync AD Groups to Sophos

Go to:
Authentication > Groups

 Click Import Group

 Select relevant AD groups (e.g., LimitedUsers, Staff, Guests)

STEP 4: Create Bandwidth Policy (Traffic Shaping Policy)

Go to:
System Services > Traffic Shaping > Add

Set limits:

 Name: Limit_Internet_Users

 Policy Association: User

 Rule Type: Shared or Individual (use "Individual" for per-user limits)

 Bandwidth Limits:

o E.g., 512 Kbps download, 128 Kbps upload

o You can also limit total usage per day (optional)

STEP 5: Create a User-Based Firewall Rule


8

Go to:
Rules and Policies > Firewall Rules > Add Firewall Rule > User/Network Rule

Settings:

 Source Zone: LAN

 Source Network/User: Select the AD Group (e.g., LimitedUsers)

 Destination Zone: WAN

 Service: Any (or HTTP/HTTPS only)

 Action: Allow (with shaping)

 Traffic Shaping Policy: Select Limit_Internet_Users

 Web Policy: Optional — assign a web filtering policy if needed

✅ Place this rule above any general "Allow all" rules.

STEP 6: (Optional) Block Internet Completely for Some Users

To block internet:

 Create a new deny firewall rule above all others

 Match source as specific AD user/group

 Set action to Deny

 This will stop all WAN access for those users

🔍 Testing

 Log into a Windows PC with a domain user account.

 Check the live users in Sophos:


Current Activities > Live Users

 Confirm the user is identified and the correct rule is applied.

✅ Summary of Key Tools Used


9

Feature Purpose

STAS Authenticates AD users silently

Traffic Shaping Policy Limits bandwidth per user/group

Firewall Rule (User-based) Controls internet access

Web Filtering (optional) Blocks categories or URLs

AD Group Sync Targets specific users easily

You might also like