|
|
| Author |
Message |
kireol
RealPoor Master of Posts
Joined: 02 Aug 2003
Posts: 9517
Location: Royal Oak, MI
|
 Posted: 03/01/05 - 11:18 Post subject: windows DNS and site blocking
|
|
|
my boss wants me to block all sites but a small handful.
I tried turning off DNS and just adding those sites to the HOSTS file, but it didnt work, and what if those sites change their IP anyway.
any ideas on a good way to do this?
|
|
|
Back to top
|
|
|
|
 |
Zuldane
RealPoor Guru
Joined: 11 Oct 2002
Posts: 4057
Location: At sea.
|
|
Posted: 03/01/05 - 11:20 Post subject:
|
|
|
|
AOL FREE 5000 HOURS
|
|
|
Back to top
|
|
|
|
|
khrath
Guest
|
|
Posted: 03/01/05 - 11:27 Post subject:
|
|
|
You could write firewall rules that block every address on port 80 by default, then open holes for certain sites.
That'd be the easiest way to go about it i'd think.
It'd also be easy to bypass though, and wouldn't block secure web browsing.
|
|
|
Back to top
|
|
|
|
|
kireol
RealPoor Master of Posts
Joined: 02 Aug 2003
Posts: 9517
Location: Royal Oak, MI
|
|
Posted: 03/01/05 - 11:41 Post subject:
|
|
|
|
hrmmm. good thinking. any recomendations on which firewall should I use?
|
|
|
Back to top
|
|
|
|
|
khrath
Guest
|
|
Posted: 03/01/05 - 11:52 Post subject:
|
|
|
depends on operating system I guess.
with ipfw it would look like this.
ipfw add pass tcp from www.yahoo.com 80 to any
ipfw add deny tcp from any 80 to any
As long as that last line stays last, it should work fine.
I'm sure there are better ways to do it though.
|
|
|
Back to top
|
|
|
|
|
kemble
RealPoor Sensei
Joined: 14 Oct 2002
Posts: 1909
Location: MI
|
|
Posted: 03/01/05 - 12:42 Post subject:
|
|
|
install squid and then you can monitor everyone's surfing habits!
btw, nazi internet policies in the workplace suck.
|
|
|
Back to top
|
|
|
|
|
kireol
RealPoor Master of Posts
Joined: 02 Aug 2003
Posts: 9517
Location: Royal Oak, MI
|
|
Posted: 03/01/05 - 13:19 Post subject:
|
|
|
well, people are checking out http://www.trumpps.net and shit.
if I set up some sort of DNS server on my linux box. Only have entries for the few sites I want and somehow exclude all other sites. And point to that would that for the DNS server on the windows boxes, would that work? is it hard to set up a DNS server on Linux
|
|
|
Back to top
|
|
|
|
|
gotissues68
RealPoor Sensei
Joined: 21 Aug 2003
Posts: 1866
|
|
Posted: 03/01/05 - 13:29 Post subject:
|
|
|
| kireol wrote: | well, people are checking out http://www.trumpps.net and shit.
if I set up some sort of DNS server on my linux box. Only have entries for the few sites I want and somehow exclude all other sites. And point to that would that for the DNS server on the windows boxes, would that work? is it hard to set up a DNS server on Linux |
No its not hard but you can't block via DNS, setup firewall rules as was suggested to block anything inbound on port 80 except the sites you are allowed to browse to.
|
|
|
Back to top
|
|
|
|
|
gotissues68
RealPoor Sensei
Joined: 21 Aug 2003
Posts: 1866
|
|
Posted: 03/01/05 - 13:33 Post subject:
|
|
|
|
You could also setup Windows security policies on each box btw... that'd be even easier...
|
|
|
Back to top
|
|
|
|
|
kireol
RealPoor Master of Posts
Joined: 02 Aug 2003
Posts: 9517
Location: Royal Oak, MI
|
|
Posted: 03/01/05 - 13:34 Post subject:
|
|
|
|
well, i tried adding /. to restricted sites and it still worked. so i just figured as hung over as I am, that that wasnt working.
|
|
|
Back to top
|
|
|
|
|
gotissues68
RealPoor Sensei
Joined: 21 Aug 2003
Posts: 1866
|
|
Posted: 03/01/05 - 14:47 Post subject:
|
|
|
I'm not good with Windows security policy so I checked my boss that I do consulting work for on the side (Linux shat) and here's what he said...
(10:16:37) wtfiml33t: how can I set a security policy to restrict certain sites from being browsed to via internet explorer?
(10:21:3 The conversation has become inactive and timed out.
(10:38:34) This is Chris: yo
(10:38:40) wtfiml33t: yo
(10:38:45) This is Chris: whats your prob?
(10:39:12) wtfiml33t: lol I don't have a problem, friend of mine is looking for a good way to block access to LAN users except to specific certain websites..
(10:39:19) wtfiml33t: they've been caught browsing porn and stuff at work =\
(10:42:03) This is Chris: just use the basis IE parental controls
(10:42:0 This is Chris: basic
(10:42:09) wtfiml33t: heh
(10:42:13) This is Chris: it sets a password
(10:42:23) wtfiml33t: k
(10:43:06) This is Chris: the you set "approved sites"
(10:43:17) This is Chris: or set it based on the ratings system
(10:43:29) wtfiml33t: k
(10:43:31) This is Chris: which filters based on contect
|
|
|
Back to top
|
|
|
|
|
kireol
RealPoor Master of Posts
Joined: 02 Aug 2003
Posts: 9517
Location: Royal Oak, MI
|
|
Posted: 03/01/05 - 15:08 Post subject:
|
|
|
|
nice. after this chicken parm gets demolished, i'm so all over that
|
|
|
Back to top
|
|
|
|
|
Callaren
RealPoor Sensei
Joined: 03 Dec 2003
Posts: 1598
Location: South Jersey
|
|
Posted: 03/01/05 - 18:56 Post subject:
|
|
|
| kireol wrote: | | nice. after this chicken parm gets demolished, i'm so all over that |
I almost always get chicken parm, it's my favorite.
|
|
|
Back to top
|
|
|
|
|
kireol
RealPoor Master of Posts
Joined: 02 Aug 2003
Posts: 9517
Location: Royal Oak, MI
|
|
Posted: 03/01/05 - 19:01 Post subject:
|
|
|
| gotissues68 wrote: | I'm not good with Windows security policy so I checked my boss that I do consulting work for on the side (Linux shat) and here's what he said...
(10:16:37) wtfiml33t: how can I set a security policy to restrict certain sites from being browsed to via internet explorer?
(10:21:3 The conversation has become inactive and timed out.
(10:38:34) This is Chris: yo
(10:38:40) wtfiml33t: yo
(10:38:45) This is Chris: whats your prob?
(10:39:12) wtfiml33t: lol I don't have a problem, friend of mine is looking for a good way to block access to LAN users except to specific certain websites..
(10:39:19) wtfiml33t: they've been caught browsing porn and stuff at work =\
(10:42:03) This is Chris: just use the basis IE parental controls
(10:42:0 This is Chris: basic
(10:42:09) wtfiml33t: heh
(10:42:13) This is Chris: it sets a password
(10:42:23) wtfiml33t: k
(10:43:06) This is Chris: the you set "approved sites"
(10:43:17) This is Chris: or set it based on the ratings system
(10:43:29) wtfiml33t: k
(10:43:31) This is Chris: which filters based on contect |
that so worked. I owe you and yer boss lunch
|
|
|
Back to top
|
|
|
|
|
kemble
RealPoor Sensei
Joined: 14 Oct 2002
Posts: 1909
Location: MI
|
|
Posted: 03/01/05 - 20:00 Post subject:
|
|
|
|
I hope nobody is bright enough to d/l opera, firefox, or the 5 bazillion other ways around this. Good for keeping the mindless minions from browsing wasting time at work tho.
|
|
|
Back to top
|
|
|
|
|
gotissues68
RealPoor Sensei
Joined: 21 Aug 2003
Posts: 1866
|
|
Posted: 03/01/05 - 20:05 Post subject:
|
|
|
| kemble wrote: | | I hope nobody is bright enough to d/l opera, firefox, or the 5 bazillion other ways around this. Good for keeping the mindless minions from browsing wasting time at work tho. |
Yea that occured to me too after the fact. Thats why my inital idea was to use security policies that limit network access and software installation. Require anything thats not a direct executable or needs to write the registry to require administrator access.
|
|
|
Back to top
|
|
|
|
|
kireol
RealPoor Master of Posts
Joined: 02 Aug 2003
Posts: 9517
Location: Royal Oak, MI
|
|
Posted: 03/01/05 - 20:11 Post subject:
|
|
|
only way they could DL is if they shell to command prompt, and use FTP. Or bring in a CD or thumbdrive. Doing that fix also prevents them from easily using IE to grab Firefox/AOL/etc.
And I'm not guarding fort knox here.
|
|
|
Back to top
|
|
|
|
|
gotissues68
RealPoor Sensei
Joined: 21 Aug 2003
Posts: 1866
|
|
Posted: 03/01/05 - 20:13 Post subject:
|
|
|
| kireol wrote: | only way they could DL is if they shell to command prompt, and use FTP. Or bring in a CD or thumbdrive. Doing that fix also prevents them from easily using IE to grab Firefox/AOL/etc.
And I'm not guarding fort knox here. |
Yea but you don't want them browsing to Fort c***s either..
|
|
|
Back to top
|
|
|
|
|
khrath
Guest
|
|
Posted: 03/01/05 - 21:07 Post subject:
|
|
|
|
my company used to do that till they realised how futile it was
|
|
|
Back to top
|
|
|
|
|
kireol
RealPoor Master of Posts
Joined: 02 Aug 2003
Posts: 9517
Location: Royal Oak, MI
|
|
Posted: 03/01/05 - 22:12 Post subject:
|
|
|
|
my users are mostly people without cars or valid drivers licenses and a record
|
|
|
Back to top
|
|
|
|
|
|
|
