Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


How to Block only outgoing traffic

Posted on 2007-11-29
Medium Priority
Last Modified: 2013-11-16
I stream webcams out to the internet.  I also record them for security purposes.  How would I stop only the outgoing traffic at a moments notice.  I want to still record the incoming stream on the server but stop the outgoing stream so the public cannot see the stream.  The catch is the person that will be inacting this action will not have domain admin priveleges.  In fact they will be....gulp...a receptionist!!!!!  I am open to just about any option, software or hardware, as long as it doesn't cost a lot of money.

I use a custom program to record the video streams that is not very customizable.  I also have a Watchguard Firebox x700.
Question by:pghzooit
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 18

Expert Comment

ID: 20374020
I need to understand this correctly...

Your (IP) camera streams video directly to the internet via the firebox or your IP DVR streams the data or because these IP cameras sit on your LAN the receptionist has the software that will capture and allow her to view these cameras?

Is this receptionist on your LAN, outside the LAN?

I am guessing she is outside this LAN and since this data is available through software, she has a piece of software that will allow her to connect to your system through the firebox?

In any case, your firebox should have a web interface and you can deny any incoming port, since the receptionist will most likely be coming from the outside in via her software. So find out what TCP ports your cameras are using. Deny or stop any port forwarding of that port to your camera(s) or DVR system.

LVL 18

Expert Comment

ID: 20374028
In blocking outgoing traffic you can do the same. Block or drop any TCP packet with that specific port being used by your camera system through the firebox.

Just have to find out what ports they use.


Author Comment

ID: 20374749
The cameras are actually coax converted to IP but are essentially IP with a port # for all we're concerned.  The cams come into the server with the software on it and then out through the firewall on the same port. (ex. Cam IP=, cam then NAT on firewall>External IP address.)

The receptionist is on the same network and does not have the software on their computer.  This is a very processor intensive program and putting the software on their computer is not an option.

What I do not want to do is give the receptionist access to the entire firewall, or web interface.  I only want them to have access to shut this one port off if the firewall is the way we choose to go.

What I prefer is a script that they can double-click on but I am not even sure if that is possible.
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

LVL 18

Expert Comment

ID: 20375205
That's a tall order to do a script and I doubt seriously that can be done without somesort of access to the firewall.

Well, from here I cannot help you other than, unplug the cable! :)


Author Comment

ID: 20375471
Unplugging the cable won't even work since that will stop all internet traffic throughout the entire organization.
LVL 18

Expert Comment

ID: 20375507
I was just kidding! :)


Author Comment

ID: 20384406
Can IPsec  Or Proxiesfix this?
All I really need to do is block all trafic to the gateway right?.....or what if we had some sort of proxyserver that we can toggle internet trafic on or off. I really no nothing about IPsec and Proxies but its a shot in the dark anyway trying to get this done.
LVL 32

Accepted Solution

dpk_wal earned 2000 total points
ID: 20397940
Let's see if I understood things right:

You have a web cam to which you want to deny inbound access [from external or optional network to the trusted network] to non-domain users

If this is what you wish to do and are sure about the ports which would be used for communication then here is what needs to be done [steps I am listing are generic; depending on version of WG management software which you have the steps might differ but the actual process is same]:

1. Configure Firebox to authenticate through Active Directory (AD); if you have ver 8.3.1 of software or higher you can also use LDAP
In Policy Manager of FW go to Setup->Authentication Servers; configure the AD settings here.

2. Add a group/user with auth-server as AD configured above. Setup->Authentication Users. This user/group is the one which you want to get access.

3. From Policy Manager, double-click WatchGuard Authentication policy icon. Click the Policy tab.
    From the WG-Auth connections are drop-down list, select Allowed. Below the From box, click Add.          
    Select Any from the list and click Add. Click OK.
    Below the To box, click Add. Select Firebox from the list and click Add. Click OK.

4. Create a custom policy for the ports used by the application.
Eg., per your post earlier, port is 3001; Click + on toolbar in policy manager and create custom policy with TCP 3001 as port/protocol. Add the service. Configure the service as below:
Inbound "Enabled and Allowed"; from->Add->add user: group/user created in step 2; to: NAT settings to web cam.

Now your users when trying to connect to web cam would need to open authentication applet; get authenticated and only then gain access to web cam. To authenticate the users need to go to:
https://IP address of Firebox external interface:4100/

Please note in this case all users would need to first get authenticated through the applet and then only gain access to web cam; also they would need to keep the applet open at all times after authentication; if they close applet for any reasons they would need to authenticate again.
As non-domain users would not have username/password they would not be able to gain access.

If the scenario is different from what I used, please let me know and I would provide solution specific to scenario.

Please note if the case is that you wish to prevent and directly connected user on the internal ethernet switch to any other host on the same switch through the firewall then this would not be possible. Wg can only intercept and prevent traffic from flowing if the traffic flows from one interface to another.
If this is the case then you would be better off using personal firewall on the said system.

Please let me know if you need more details.

Thank you.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Make the most of your online learning experience.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question