TL;DR
Yes, you can control which servers your network connects to on the internet using a firewall and access control lists (ACLs). This guide explains how.
Step-by-step Guide: Allowlisting Servers
- Understand Your Firewall
- Most networks use a firewall as their first line of defence. Common firewalls include pfSense, Cisco ASA, Fortigate, and Windows Firewall.
- You’ll need access to your firewall’s configuration interface (usually a web page or command-line tool). The exact steps vary depending on the firewall you use.
- Identify Allowed Servers
- Make a list of all servers your network *needs* to connect to. This includes:
- Email servers (e.g., smtp.gmail.com, imap.mailserver.co.uk)
- DNS servers (e.g., 8.8.8.8, 1.1.1.1)
- Cloud service endpoints (e.g., api.aws.amazon.com)
- Any other essential external services.
- Get the IP addresses or domain names of these servers. Using domain names is preferable as IPs can change.
- Create Firewall Rules
You’ll create rules that *explicitly allow* traffic to your allowed servers and then a rule that *denies* all other outbound traffic.
- Allow Rules: For each server, create an “allow” rule. This typically involves specifying:
- Direction: Outbound (traffic leaving your network)
- Protocol: TCP/UDP (or specific protocols if known – e.g., only HTTPS on port 443 for web services)
- Source: Your internal network(s) – usually a range of IP addresses.
- Destination: The IP address or domain name of the allowed server. If using a domain name, your firewall will resolve it to an IP address automatically.
- Port: The port number used by the service (e.g., 25 for SMTP, 443 for HTTPS).
- Deny Rule: Create a “deny” rule as the *last* rule in your outbound policy.
- Direction: Outbound
- Protocol: Any
- Source: Your internal network(s)
- Destination: 0.0.0.0/0 (this means all IP addresses)
- Port: Any
- Allow Rules: For each server, create an “allow” rule. This typically involves specifying:
- Example Firewall Rule (pfSense)
This example allows outbound HTTPS traffic to api.aws.amazon.com:
# Go to Firewall > Rules > Outbound # Add a new rule: Interface: LAN Action: Pass Protocol: TCP Source: LAN net Port Range: HTTP 443 Destination: Single host or alias Destination Alias: aws_api (you'll need to create an alias for api.aws.amazon.com) Description: Allow AWS API Access - Example Firewall Rule (Windows Firewall with Advanced Security)
This example allows outbound traffic on port 443 to a specific IP address:
# Open Windows Firewall with Advanced Security # Create a new Outbound Rule: Rule Type: Custom Program: All programs Protocol and Ports: TCP, Specific local ports: 443 Scope: Remote IP addresses: (enter the server's IP address) Action: Allow Profile: Domain, Private, Public Name: Allow AWS API Access - Test Your Rules
- From a computer on your network, try to connect to an allowed server (e.g., ping api.aws.amazon.com or access a web service). It should work.
- Try to connect to a server that is *not* on your allowlist (e.g., ping a random public IP address). It should be blocked.
- Monitor and Adjust
- Regularly review your firewall logs to ensure the rules are working as expected and that no unauthorized connections are being made.
- As your network needs change, update your allowlist accordingly.