Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


How to Block only outgoing traffic

Posted on 2007-11-29
Medium Priority
Last Modified: 2013-11-16
I stream webcams out to the internet.  I also record them for security purposes.  How would I stop only the outgoing traffic at a moments notice.  I want to still record the incoming stream on the server but stop the outgoing stream so the public cannot see the stream.  The catch is the person that will be inacting this action will not have domain admin priveleges.  In fact they will be....gulp...a receptionist!!!!!  I am open to just about any option, software or hardware, as long as it doesn't cost a lot of money.

I use a custom program to record the video streams that is not very customizable.  I also have a Watchguard Firebox x700.
Question by:pghzooit
  • 4
  • 3
LVL 18

Expert Comment

ID: 20374020
I need to understand this correctly...

Your (IP) camera streams video directly to the internet via the firebox or your IP DVR streams the data or because these IP cameras sit on your LAN the receptionist has the software that will capture and allow her to view these cameras?

Is this receptionist on your LAN, outside the LAN?

I am guessing she is outside this LAN and since this data is available through software, she has a piece of software that will allow her to connect to your system through the firebox?

In any case, your firebox should have a web interface and you can deny any incoming port, since the receptionist will most likely be coming from the outside in via her software. So find out what TCP ports your cameras are using. Deny or stop any port forwarding of that port to your camera(s) or DVR system.

LVL 18

Expert Comment

ID: 20374028
In blocking outgoing traffic you can do the same. Block or drop any TCP packet with that specific port being used by your camera system through the firebox.

Just have to find out what ports they use.


Author Comment

ID: 20374749
The cameras are actually coax converted to IP but are essentially IP with a port # for all we're concerned.  The cams come into the server with the software on it and then out through the firewall on the same port. (ex. Cam IP=, cam then NAT on firewall>External IP address.)

The receptionist is on the same network and does not have the software on their computer.  This is a very processor intensive program and putting the software on their computer is not an option.

What I do not want to do is give the receptionist access to the entire firewall, or web interface.  I only want them to have access to shut this one port off if the firewall is the way we choose to go.

What I prefer is a script that they can double-click on but I am not even sure if that is possible.
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

LVL 18

Expert Comment

ID: 20375205
That's a tall order to do a script and I doubt seriously that can be done without somesort of access to the firewall.

Well, from here I cannot help you other than, unplug the cable! :)


Author Comment

ID: 20375471
Unplugging the cable won't even work since that will stop all internet traffic throughout the entire organization.
LVL 18

Expert Comment

ID: 20375507
I was just kidding! :)


Author Comment

ID: 20384406
Can IPsec  Or Proxiesfix this?
All I really need to do is block all trafic to the gateway right?.....or what if we had some sort of proxyserver that we can toggle internet trafic on or off. I really no nothing about IPsec and Proxies but its a shot in the dark anyway trying to get this done.
LVL 32

Accepted Solution

dpk_wal earned 2000 total points
ID: 20397940
Let's see if I understood things right:

You have a web cam to which you want to deny inbound access [from external or optional network to the trusted network] to non-domain users

If this is what you wish to do and are sure about the ports which would be used for communication then here is what needs to be done [steps I am listing are generic; depending on version of WG management software which you have the steps might differ but the actual process is same]:

1. Configure Firebox to authenticate through Active Directory (AD); if you have ver 8.3.1 of software or higher you can also use LDAP
In Policy Manager of FW go to Setup->Authentication Servers; configure the AD settings here.

2. Add a group/user with auth-server as AD configured above. Setup->Authentication Users. This user/group is the one which you want to get access.

3. From Policy Manager, double-click WatchGuard Authentication policy icon. Click the Policy tab.
    From the WG-Auth connections are drop-down list, select Allowed. Below the From box, click Add.          
    Select Any from the list and click Add. Click OK.
    Below the To box, click Add. Select Firebox from the list and click Add. Click OK.

4. Create a custom policy for the ports used by the application.
Eg., per your post earlier, port is 3001; Click + on toolbar in policy manager and create custom policy with TCP 3001 as port/protocol. Add the service. Configure the service as below:
Inbound "Enabled and Allowed"; from->Add->add user: group/user created in step 2; to: NAT settings to web cam.

Now your users when trying to connect to web cam would need to open authentication applet; get authenticated and only then gain access to web cam. To authenticate the users need to go to:
https://IP address of Firebox external interface:4100/

Please note in this case all users would need to first get authenticated through the applet and then only gain access to web cam; also they would need to keep the applet open at all times after authentication; if they close applet for any reasons they would need to authenticate again.
As non-domain users would not have username/password they would not be able to gain access.

If the scenario is different from what I used, please let me know and I would provide solution specific to scenario.

Please note if the case is that you wish to prevent and directly connected user on the internal ethernet switch to any other host on the same switch through the firewall then this would not be possible. Wg can only intercept and prevent traffic from flowing if the traffic flows from one interface to another.
If this is the case then you would be better off using personal firewall on the said system.

Please let me know if you need more details.

Thank you.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question