Log in:
Register Now! It's FREE!
Members click here to Sign In!

News
RECENT ANNOUNCEMENTS
Post new topic

windows DNS and site blocking

RealPoor.com » RealPoor General Talk » Dead Geeks Society
 
 
Author
 
 
Message
 
Posted: 03/01/05 - 11:18
Report abuse 
RealPoor Master of Posts
kireol
Joined: 02 Aug 2003
Posts: 7529
 
my boss wants me to block all sites but a small handful.

I tried turning off DNS and just adding those sites to the HOSTS file, but it didnt work, and what if those sites change their IP anyway.


any ideas on a good way to do this?


Reply with quote
Posted: 03/01/05 - 11:20
Report abuse 
RealPoor Guru
Zuldane
Joined: 11 Oct 2002
Posts: 3570
 
AOL FREE 5000 HOURS


Reply with quote
Posted: 03/01/05 - 11:27
Report abuse 
khrath

 
You could write firewall rules that block every address on port 80 by default, then open holes for certain sites.

That'd be the easiest way to go about it i'd think.

It'd also be easy to bypass though, and wouldn't block secure web browsing.


Reply with quote
Posted: 03/01/05 - 11:41
Report abuse 
RealPoor Master of Posts
kireol
Joined: 02 Aug 2003
Posts: 7529
 
hrmmm. good thinking. any recomendations on which firewall should I use?


Reply with quote
Posted: 03/01/05 - 11:52
Report abuse 
khrath

 
depends on operating system I guess.

with ipfw it would look like this.

ipfw add pass tcp from www.yahoo.com 80 to any
ipfw add deny tcp from any 80 to any


As long as that last line stays last, it should work fine.

I'm sure there are better ways to do it though.


Reply with quote
Posted: 03/01/05 - 12:42
Report abuse 
RealPoor Sensei
kemble
Joined: 14 Oct 2002
Posts: 1911
 
install squid and then you can monitor everyone's surfing habits!

btw, nazi internet policies in the workplace suck.


Reply with quote
Posted: 03/01/05 - 13:19
Report abuse 
RealPoor Master of Posts
kireol
Joined: 02 Aug 2003
Posts: 7529
 
well, people are checking out http://www.trumpps.net and shit.



if I set up some sort of DNS server on my linux box. Only have entries for the few sites I want and somehow exclude all other sites. And point to that would that for the DNS server on the windows boxes, would that work? is it hard to set up a DNS server on Linux


Reply with quote
Posted: 03/01/05 - 13:29
Report abuse 
RealPoor Sensei
gotissues68
Joined: 21 Aug 2003
Posts: 1868
 
kireol wrote:
well, people are checking out http://www.trumpps.net and shit.



if I set up some sort of DNS server on my linux box. Only have entries for the few sites I want and somehow exclude all other sites. And point to that would that for the DNS server on the windows boxes, would that work? is it hard to set up a DNS server on Linux


No its not hard but you can't block via DNS, setup firewall rules as was suggested to block anything inbound on port 80 except the sites you are allowed to browse to.


Reply with quote
Posted: 03/01/05 - 13:33
Report abuse 
RealPoor Sensei
gotissues68
Joined: 21 Aug 2003
Posts: 1868
 
You could also setup Windows security policies on each box btw... that'd be even easier...


Reply with quote
Posted: 03/01/05 - 13:34
Report abuse 
RealPoor Master of Posts
kireol
Joined: 02 Aug 2003
Posts: 7529
 
well, i tried adding /. to restricted sites and it still worked. so i just figured as hung over as I am, that that wasnt working.


Reply with quote
Posted: 03/01/05 - 14:47
Report abuse 
RealPoor Sensei
gotissues68
Joined: 21 Aug 2003
Posts: 1868
 
I'm not good with Windows security policy so I checked my boss that I do consulting work for on the side (Linux shat) and here's what he said...


(10:16:37) wtfiml33t: how can I set a security policy to restrict certain sites from being browsed to via internet explorer?
(10:21:38) The conversation has become inactive and timed out.
(10:38:34) This is Chris: yo
(10:38:40) wtfiml33t: yo
(10:38:45) This is Chris: whats your prob?
(10:39:12) wtfiml33t: lol I don't have a problem, friend of mine is looking for a good way to block access to LAN users except to specific certain websites..
(10:39:19) wtfiml33t: they've been caught browsing porn and stuff at work =\
(10:42:03) This is Chris: just use the basis IE parental controls
(10:42:08) This is Chris: basic
(10:42:09) wtfiml33t: heh
(10:42:13) This is Chris: it sets a password
(10:42:23) wtfiml33t: k
(10:43:06) This is Chris: the you set "approved sites"
(10:43:17) This is Chris: or set it based on the ratings system
(10:43:29) wtfiml33t: k
(10:43:31) This is Chris: which filters based on contect


Reply with quote
Posted: 03/01/05 - 15:08
Report abuse 
RealPoor Master of Posts
kireol
Joined: 02 Aug 2003
Posts: 7529
 
nice. after this chicken parm gets demolished, i'm so all over that


Reply with quote
Posted: 03/01/05 - 18:56
Report abuse 
RealPoor Sensei
Callaren
Joined: 03 Dec 2003
Posts: 1602
 
kireol wrote:
nice. after this chicken parm gets demolished, i'm so all over that

I almost always get chicken parm, it's my favorite.


Reply with quote
Posted: 03/01/05 - 19:01
Report abuse 
RealPoor Master of Posts
kireol
Joined: 02 Aug 2003
Posts: 7529
 
gotissues68 wrote:
I'm not good with Windows security policy so I checked my boss that I do consulting work for on the side (Linux shat) and here's what he said...


(10:16:37) wtfiml33t: how can I set a security policy to restrict certain sites from being browsed to via internet explorer?
(10:21:38) The conversation has become inactive and timed out.
(10:38:34) This is Chris: yo
(10:38:40) wtfiml33t: yo
(10:38:45) This is Chris: whats your prob?
(10:39:12) wtfiml33t: lol I don't have a problem, friend of mine is looking for a good way to block access to LAN users except to specific certain websites..
(10:39:19) wtfiml33t: they've been caught browsing porn and stuff at work =\
(10:42:03) This is Chris: just use the basis IE parental controls
(10:42:08) This is Chris: basic
(10:42:09) wtfiml33t: heh
(10:42:13) This is Chris: it sets a password
(10:42:23) wtfiml33t: k
(10:43:06) This is Chris: the you set "approved sites"
(10:43:17) This is Chris: or set it based on the ratings system
(10:43:29) wtfiml33t: k
(10:43:31) This is Chris: which filters based on contect


that so worked. I owe you and yer boss lunch


Reply with quote
Posted: 03/01/05 - 20:00
Report abuse 
RealPoor Sensei
kemble
Joined: 14 Oct 2002
Posts: 1911
 
I hope nobody is bright enough to d/l opera, firefox, or the 5 bazillion other ways around this. Good for keeping the mindless minions from browsing wasting time at work tho.


Reply with quote
Posted: 03/01/05 - 20:05
Report abuse 
RealPoor Sensei
gotissues68
Joined: 21 Aug 2003
Posts: 1868
 
kemble wrote:
I hope nobody is bright enough to d/l opera, firefox, or the 5 bazillion other ways around this. Good for keeping the mindless minions from browsing wasting time at work tho.


Yea that occured to me too after the fact. Thats why my inital idea was to use security policies that limit network access and software installation. Require anything thats not a direct executable or needs to write the registry to require administrator access.


Reply with quote
Posted: 03/01/05 - 20:11
Report abuse 
RealPoor Master of Posts
kireol
Joined: 02 Aug 2003
Posts: 7529
 
only way they could DL is if they shell to command prompt, and use FTP. Or bring in a CD or thumbdrive. Doing that fix also prevents them from easily using IE to grab Firefox/AOL/etc.


And I'm not guarding fort knox here.


Reply with quote
Posted: 03/01/05 - 20:13
Report abuse 
RealPoor Sensei
gotissues68
Joined: 21 Aug 2003
Posts: 1868
 
kireol wrote:
only way they could DL is if they shell to command prompt, and use FTP. Or bring in a CD or thumbdrive. Doing that fix also prevents them from easily using IE to grab Firefox/AOL/etc.


And I'm not guarding fort knox here.


Yea but you don't want them browsing to Fort c***s either..


Reply with quote
Posted: 03/01/05 - 21:07
Report abuse 
khrath

 
my company used to do that till they realised how futile it was


Reply with quote
Posted: 03/01/05 - 22:12
Report abuse 
RealPoor Master of Posts
kireol
Joined: 02 Aug 2003
Posts: 7529
 
my users are mostly people without cars or valid drivers licenses and a record


Reply with quote

Post new topic
 
MY NAVIGATOR
 
 
Newsletter
 

Subscribe to FREE monthly RealPoor.com newsletter.

RealPoor.com » RealPoor General Talk » Dead Geeks Society
 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum