|
-
January 27th, 2005, 07:14 PM
#1
Blocking FTP (outbound) access'
We have one user who constantly downloads from a 'friends' site via FTP.
(mainly mp3's). The problem is they have read the Acceptable Usage policy, but believe they are above the 'NO download' policy. (after all, it's a friends site...what harm can that do ?) I cannot block port 21 on the router as others download data from clients. I tried putting the IP address into their HOSTS file and redirecting to 127.0.0.1...but that doesn't seem to work. Any suggestions ?
-
January 27th, 2005, 07:19 PM
#2
Can you not create a firewall rule to block all traffic going to or coming from the "friends" site?
Cheers:
-
January 27th, 2005, 07:23 PM
#3
DjM has the right idea - what kind of firewall is in place on this network?
-
January 27th, 2005, 07:23 PM
#4
it depends on what you are using to connect to the internet?
Usually when I find a user "purposely" violating the acceptable use policy is I take the internet away from them.
Then..after a couple of days when they realize it is not system wide...and just a problem with thier account they have to come and talk to me...and ask me to help them fix it...I then give them the lecture... 
You could always try that...
Works for me
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
January 27th, 2005, 07:24 PM
#5
Hey Hey,
You can't put an IP Address into the HOSTS file and redirect it to an IP Address... (Which is what you attempted)...
The HOSTS file is nothing more than the simplest form of DNS. It's simple where the computer looks to find the name to ip relationship before heading out to the listed DNS Servers... It has to be a Name to IP Address relationship.
Anyways I'd follow DjM's advice if possible or teach the user a lesson and cut off his FTP Access.. Does he need it for a legitmate purpose? If so kill all FTP outbound access from his IP Address. He'll come to you because he can't get his work done and then you can sit him down and talk to him about the violation of the AUP... I'd also point it out the employees manager and have him with you while you talk to the employee.
Peace,
HT
-
January 27th, 2005, 07:34 PM
#6
Senior Member
I had the same problem on my home network, people would come over to play games or do work online, then next thing I know as soon as I go off to bed its like they decide to see how much junk they can download.
I use smoothwall at home and found this great link on settings up Iptables.
It should work for anything using iptables with very little alteration.
http://martybugs.net/smoothwall/iptables.cgi
I now block winmx, morpeus, kazaa, icq, msn, aol, and ftp from certain ip addresses.
Whats a \"START\" button?
-
January 27th, 2005, 08:40 PM
#7
Thanks (all) for the info.
I realize the HOSTS file is a form of DNS but thought it was worth a try.
Our router is a Linksys - and limited to either blocking internal IP's, or blocking ports globally.
Can't cutoff their internet access' or they couldn't do their job.
I've blocked 'Bit Torrent' 'Kazaa' etc ports successfully (msn will use port 80 if available)
Thanks for the help - i'll keep on trucking
-
January 27th, 2005, 08:56 PM
#8
If the client is win2k or Xp you can enforce IPSec on the NIC for port 21 with Any other IP....
That will screw him over and he'll never work it out.... 
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
January 27th, 2005, 11:28 PM
#9
If you have access to the DNS server, redirect it there. He is totally stuck, but if he is smart he can use and external proxy. If you want to use the host file, boxes in active directory may ignore it. You have to select "Use LMHOST in the network properties on the box. And get the syntax correct.
Since your firewall sucks and doesn't allow specific ip blocking, can you get some filtering software? If not, fire his ass.
Forse IPsec on port 21 for the IP - lol, good one Tiger. Oh you could aslo block the FTP executable in local policy.
//EDIT Like Spazz said, if you got smoothwall up you would have a lot of flex on your internet access options.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
January 27th, 2005, 11:33 PM
#10
Road:
The DNS server will work no better than the hosts file if the (L)user types:-
ftp 123.123.123.123
The DNS server becomes irrelevant and since it is a friends FTP server the liklihood is that that's what he is doing.....
Pretty sure blocking the ftp exe in the policy won't work either because ftp support is built into IExplore and he can't stop that.
I do believe my IPSec solution is... er... :elegant"..... 
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
