I'm having trouble getting access restrictions to work. First of all, there seems to be lack of documentation about this feature. Well.. maybe it should be self-explanatory, but I'm still quite confused. While adding a new rule I have to select resources to block: I don't understand whether there is AND or OR between those "layers". Well.. lets suppose I want to block BitTorrent protocol. I select BitTorrent from "Application Protocol" and leave all other fields to "Block All". Does it now read as: block if ((protocol=BitTorrent) AND (local_port=ANY) AND (Remote Port=ANY) ...). I hope you understand what I mean.
Anyway... my final goal would be blocking all outside traffic except HTTP (and few other protocols) for "All Hosts Except" <ip-range here>. I tried applying following rule (left "All hosts" as target):
But it doesn't seem to work - nothing is blocked. What am I doing wrong?
The problem here is that you're trying to use the Application protocol (layer7) to implement an exception, which doesn't really work.
The reason it doesn't work is that in order to correctly identify what protocol a connection is using, the router first needs to see a couple of packets from that connection. But... given these settings it doesn't get a chance. The first packet isn't enough to classify the connection as http, so that packet gets dropped, and the whole connection gets dropped.
A much better way to allow only http traffic would be to allow traffic only on port 80 -- this gets around the problem you are running into.
