Block a program from accessing a domain?

[zamar27 5]

Eset Firewall Advanced setup offers to allow or deny a certain program sending traffic to a certain IP address or addresses list. But some domains have a range of IP addresses, and it may change over time, while other domains regularly change their IP address.

How in this case to block a certain program from accessing a given domain instead of IP address? Example: I want to allow a certain mail client to access only imap.gmail.com , but no any other sites,  i.e. no access to smtp.gmail.com or any other?

Edited March 22, 2019 by zamar27

[Marcos 4,919]

As for HTTP(S)  communication, you can block a particular host / url in the URL management setup under Web and email protection.

On the firewall level it's possible to create rules only for IP addresses since these are present in packets that are processed by firewalls.

[zamar27 5]

Thanks Marcos,

However, I need to block access to a particular domain name only for a certain program (an email client), but allow it for all other programs like web browsers, another email client, etc.  Can you add this feature to Eset to allow create app based rules in Web Protection? In many instances current URLs are unknown to a user or keep changing, so allowing to block a certain program access to a domain name instead of IP address would be more convenient or the only possible option.

Or, can you suggest a workaround?

[itman 1,629]

58 minutes ago, zamar27 said:

In many instances current URLs are unknown to a user or keep changing, so allowing to block a certain program access to a domain name

The URL block list has wildcard capability. For example, coding, *.domain.com/*, will block all URLs associated with domain.com.

As far as URL blocking via firewall rule, doubtful that will ever be implemented since most firewalls don't have such capability.

[zamar27 5]

On 3/22/2019 at 7:01 PM, itman said:

The URL block list has wildcard capability.

Great. How I can use "block a URL" for a *select* program only, not for *all* installed programs?

Edited May 5, 2019 by zamar27

[itman 1,629]

26 minutes ago, zamar27 said:

How I can use block a URL for a *select* program only, not for *all* installed programs?

Not possible. Assumed is if one wants to block a domain/URL, they want to block all attempted accesses to it.

[zamar27 5]

Wrong assumption, especially in this age of *telemetry* spying. All programs call home, some very often and for no legitimate reason. Some devs regularly change IPs of their telemetry URLs.

[itman 1,629]

12 hours ago, zamar27 said:

especially in this age of *telemetry* spying. All programs call home

There are third party apps that have this capability. The installed version of Adguard: https://adguard.com/en/welcome.html  for example will not only monitor the browser for like activity, but any other app you wish.

[zamar27 5]

19 hours ago, Marcos said:

On the firewall level it's possible to create rules only for IP addresses since these are present in packets that are processed by firewalls.

Eset Firewall in Interactive Mode shows destination URLs in "User Permission" window popups for each program trying to access internet. This means URLs are clearly present in at least some (initial) DNS server requests, and this data can be used to block program access by URL instead of IP. 

However, when Eset adds the user rule to Rules DB, it unjustly omits the URL the user allowed or denied access to in the above popup. Hence its a clear Eset bug, and should be fixed. In particular, Eset added in interactive mode rules (any URL allowed or denied) are much broader than the user actually permitted in the popup (only a certain URL), hence they are inaccurate. To fix the issue, the devs need to add URL field to Remote Tab in Advanced Firewall rules

Edited March 23, 2019 by zamar27

[Marcos 4,919]

URLs are unknown to the firewall since the firewall doesn't inspect https(s) traffic at the application layer of the OSI model. The firewall operates with packets at the lower layers (data link, network, transport where  URLs are unknown).

[zamar27 5]

However, URLs are known to Eset one way or another, which is evident when using Interactive Firewall mode. This info should not be discarded, but instead Eset devs should use their ingenuity to include and use it as selected by the user in that popup. 😎 I still believe it should be treated as a bug, because the created rule doesn't match user choice (and often doesn't make sense).

What I suggest, Eset adding the URL to Firewall Rule, and then next time same program tries to send packets to that URL, Eset will analyse the new IP for that URL coming from DNS server, and dynamically block or allow access to it.

 

Edited March 23, 2019 by zamar27

[Marcos 4,919]

This is application control, not packet control at low OSI layers performed by firewall. We do not support application control yet.

[itman 1,629]

I will also add that corp. level network apps that have application control still don't have the capability the OP wants:

Quote

Step 5. Create URL Filter Policies

The URL filter can be configured as a blacklist, allowing all sites except specifically blocked URL categories, or as a whitelist blocking everything except for specifically allowed categories. 

1. Create an URL object.
2. Define the default policy and behavior for all unlisted sites.
3. Go through the URL categories and select Allow or Block for each one. 
4. Edit the application policies and select which URL policy to include.

Step 6. Define Exceptions

If exceptions are required for special use cases or privileged users, you can configure exceptions for your policies:

• To specify exceptions to the categories of websites that you allow or block, click the URLs tab in the URL policy settings. Then explicitly enter the URL of websites that must always be allowed or blocked.
• To create exceptions to your application policies, create new application policies. Then place the new application policies over the policies that they are overriding.

Example - Block Everyone from using Facebook Except for Exempt Users

To define an exception from the standard policy, create an application policy specifically allowing access for the exempted users.

1. On the FIREWALL > User Objects page, create a user object that includes all users and groups who are allowed to access Facebook.
2. On the FIREWALL > Application Policy page, create an ALLOW application policy that includes the user object you just configured for allowed users and groups.
3. Place the new exception application policy above the policy rule blocking Facebook for everyone. 

https://campus.barracuda.com/product/nextgenfirewallx/doc/41093369/how-to-introduce-application-control-to-your-network/

As shown above, the capability really isn't more encompassing that what Eset already offers.

Bottom line - the capability doesn't exist at the firewall level and never will.

Edited March 23, 2019 by itman

[zamar27 5]

4 hours ago, itman said:

and never will

I think Marcos is more optimistic about it than you are. 😊 This is important because he translates user needs to Eset devs. And objectively it aims at Eset being a better product with higher user demand, so everyone here is on the same boat. It doesn't have to be namely Firewall section grouped feature, I rather mean broader Eset capability.

Edited March 23, 2019 by zamar27