How to allow access to only specified sites?

[alchemist]

Basically I'm looking for a way to only allow access on various network computers to only go to certain domains. Some of our applications are internet based and as such we can't just block the whole net.

Any ideas on what kind of hardware is out there that I can set up a table of allowable domains that they can access preferably by MAC address?

 

[mamisano]

How about removing the DNS entries from all the clients, and then giving each client who needs internet access a host file that contains the allowable domains and associated IP addresses?

 

[alchemist]

How would I do that? Yes I'm an idiot. Basically there is only a couple of domains that they need to ever access. I was trying to make it via a hardware firewall solution so that they can't access it/change the parameters, but if i was to do it locally like you suggest, how would I do what you suggest?

 

[JackMDS]

To block all sites.

Log to the TCP/IP properties in Local Area Connection Properties.
If Obtain DNS is on Auto check the Use the following DNS Server and enter 127.0.01 into the preferred DNS (you can leave the second entry empty).
By doing your Browser will not be able to go any where since there is No DNS available.
However the Sites that is in the permit section of the Host file will be resolved.

Host File:

You probably have already a Host File on your Hard Drive (Microsoft might put one by default).
It called HOST (No Extension).

In Windows 98 it is in C:\Windows
In Windows XP it is in: C:\WINDOWS\SYSTEM32\DRIVERS\etc

If you already have one use Notepad to open it.
If you can not find one make one using generic txt editor like Notepad to make one.

Example for a File (# symbol means comment, and what follows is ignored):

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
# Permit this.

102.54.94.97 rhino.acme.com # source server
38.25.63.10 x.acme.com # x client host
127.0.0.1 Localhost

#This type of entries will Block specific sites.

127.0.0.1 IBM.COM # will resolve IBM.COM to Localhost, so No IBM.COM

#This type of entries will Block ads that come to a Banner from acme.com.
127.0.0.1 ads.acme.com

# This type of entries give names to local Computers

# No need to type the IP the Main computer you can type Main into Address Bar.

192.168.0.1 Main

# The computer with the Music Files will be called Music.

192.168.0.3 Music

:sun:

 

[Brazen]

Get a good hardware firewall. Doing it the way mamisano or jackmds suggest will still allow users access out to the internet by ip address and will also prevent any user on those computers to browse network resources by computer name.

We use a SonicWALL PRO 2040 at work and it allows you to block every computer from the internet and set up exceptions to only allow certain computers access to certain websites, or all computers to certain websites, or certain computers to all websites, the possibilities are endless and quick and easy to administer. You can set these configurations for any protocol by the way.

Now I know for sure, that this firewall will accomplish this, however a Cisco PIX or any corporate class firewall should have this ability, possibly even the linksys business firewalls.


edit: by the way, if you do want to go the :disgust:HOSTS file option, you can also add all your computers on the LAN to the hosts file so you could browse network resources by computer name.

 

[bobcpg]

I think if you just edit the host file and make it only readable access to the others. Their computer should look in that file first no matter what is in the DNS entries. And they would not be able to delete the file or edit it.

-bob

 

[alchemist]

Brazen, what is the feature you are talking about on that SonicWall...ie what is the feature called so I can find something to do it.....it sounds like SonicWall is a Linux embedded device, so I would like to know what the feature is called so I can look for it in other products as well
Thanks

 

[Brazen]

Originally posted by: alchemist
Brazen, what is the feature you are talking about on that SonicWall...ie what is the feature called so I can find something to do it.....it sounds like SonicWall is a Linux embedded device, so I would like to know what the feature is called so I can look for it in other products as well
Thanks

Well, on the SonicWALL they are just referred to as Access Rules. My home-grade Linksys firewall/router also has Access Rules, but it only allows four websites to be blocked, no way to block all outbound ports to all IPs and only allow certain ones. So I guess what you'll have to figure out is how feature-rich the access rules are on the particular firewall/router you are looking into.

edit: I looked over the downloadable manual for the Linksys RV082 and it looks like it does have this functionality (here, pdf page 45). You can creat a block all traffic rule, and then you *should* be able to override that with explicit rules to allow http (or whatever port you need to) traffic only to certain IPs on the WAN and only from certain IPs on your LAN. My only question is if there is a limit to the number of rules you can set up, but I think Linksys is usually good about specifying if there is a limit. I would suggest picking one up from someplace that would let you return it if it doesn't allow you to set up enough rules to meet your needs. Keep me informed if you decide to go this route and let me know if it does or doesn't allow enough rules (PM or post in this thread), and feel free to PM me if you need help with it.

 

[alchemist]

Looks like I'm looking for a whitelist feature based on IP addresses so that I can limit access to websites via the IP of individual computer