If I want to block access from the internal network to a web site on a specific IP address, how/where would I create a firewall rule to do it? I have an ERLite-3 and a very simple configuration with WAN on eth0 and LAN on eth1, and eth2 is unused.
This is what I think I need to do:
Create a new ruleset (I call it LAN_OUT).
Define the port/direction to be eth1 (my LAN) and direction 'out'.
Give ruleset a default rule of accept, which otherwise allows anything else.
Create a single rule that drops anything from 192.168.9.0/24 (internal network subnet) as source and ww.xx.yy.zz (web site's fixed IP address) as the destination.
Is this roughly correct? I haven't gotten it to work, but I'm not sure if that's because of the WAN_IN rule that permits established connections.