how to block ONLY web access
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: how to block ONLY web access

  1. #1
    Banned
    Join Date
    May 2003
    Posts
    31

    how to block ONLY web access

    How can I block a specific user from using the browser on a specific machine? I'd like to leave all the other services intact (ftp, telnet, etc...). The accounts in my network are not "cached localy" they are all authenticated at the PDC. I'd like to block the user remotely (from PDC, not locally) The clients are NT serv.pack 6 and the PDC is Win2k2000server. However I do not want this particular user tunneling http trafic through another port (netcat or something) w/ the help of another (remote) machine. The user has a valid company account and he can install things. Is windows running TCPIP natively in this case??? If so then simple port block will not suffice.... What are my options?


    (tired and hungry linux sysadmin)

  2. #2
    Banned
    Join Date
    Apr 2003
    Posts
    3,839
    can you give us a reason why you want to do that ....

    and just a reminder ... he can use Telnet to browse the Internet in only Text-based view like i do .. when i dont have access to sites or something i use telnet to connect to cyberspace.org via tlnet and login with my account .... they have an text based browser there

  3. #3
    Banned
    Join Date
    May 2003
    Posts
    31
    the guys is surfing on company time --- way to much...

  4. #4
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    One way would be to install personal firewalls on each computer and block access to all browsers on the computer. Another way would be to upgrade the PDC to Windows 2003 and use it to block access to browsers on the whole domain.
    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  5. #5
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Any standard rule based filtering firewall should be able to meet your needs, _if_ I am understanding your question:

    "How can a stop a particular client from browsing the web, without interfering with anything else?"

    something like:
    block outgoing from client where protocol=tcp from any to port 80/443/8000/8080

    You can block either requests or responses depending on your needs. It is likely to be better to work this on a default deny stance and only allow specific services to the client as this can be meshed with other things For example if the organization has a proxying firewall like TIS-FWTK (or newer commercial versions) to ensure that no http/https data is going to the client in question. The client can respond a wide variety of means, eg custom tunnels, etc... and if high assurence is required it maybe wise to install pc-anywhere/vnc on the client and add a warning logon message that the system is monitored by the IT administration folk, and then set an irregular schedule for spot monitoring, or when alarmed by atypical encrypted data.

    catch

  6. #6
    Banned
    Join Date
    May 2003
    Posts
    31
    i guess the first thing i need to know is how, exactly can i do this in windows 2000 server. were are the options located (registry or control panel) then i need to know how exactly does windows block the access.. is it *nix like.. just blocking the 80 and related ports or does it mess w/ netbios

    the user can only use one system... not by software limitations but because of the physical location so therefore firewall on all systems is not an option.

  7. #7
    Senior Member
    Join Date
    Mar 2003
    Posts
    301
    well if you are working with routers you could set up an ACL to block outgoing traffic from the persons ip address for whatever ports you need
    #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL
    ($k,$n)=@ARGV;$m=unpack(H.$w,$m.\"\\0\"x$w),$_=`echo \"16do$w 2+4Oi0$d*-^1[d2%
    Sa2/d0<X+d*La1=z\\U$n%0]SX$k\"[$m*]\\EszlXx++p|dc`,s/^.|\\W//g,print pack(\'H*\'
    ,$_)while read(STDIN,$m,($w=2*$d-1+length($n||die\"$0 [-d] k n\\n\")&~1)/2)

  8. #8
    Member
    Join Date
    Sep 2002
    Posts
    74
    this is exactly why windows needs something similiar to iptables. i once heard of a firewall called iptables for windows but i only found one broken link to it on google.

  9. #9
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    u don't need a firewall on all the system! u just need a filter between your cie and the internet.
    u have several puters and I guess have a router smwh.

    u know what?
    mainly all routers implement basic firewalling features (CISCO call that ACL).

    if u want to restrict the access for one guy create a specific rule (/32) to restrict outbound flows with HTTP, HTTPS, FTP, Telnet related tcp port.

    Doing that the guy will still be able to browse the intranet if u have one, but not browsing the web.
    Be aware that single user specific firewalling rules are not optimized & should only for exceptions.

    Hope it helps ...
    [shadow] SHARING KNOWLEDGE[/shadow]

  10. #10
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    One other thing you can do is block outgoing access to port 80 using your firewall (dunno if W2K can do it without help from an external program). That should keep users from surfing most sites.
    Cheers,
    cgkanchi

    EDIT : You might also want to consider blocking port 8080. That'll get out most of the sites that don't use port 80
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •