IT Employment

General discussion


Limit Users by Site, Not Time

By Bryan James ·
I am looking for a cost efficient (read: free) way to limit a certain group of users to only a few domains that they can visit on the web.

I've given our video department internet access so they can search for release dates, correct titles, movies and actor has been in and out of print tapes. Adult sites are stopped via our main filter, however other people on the network need to access other sites and our current monitoring software only blocks the whole network for specified content. I want to set up a user who everything is blocked except about 3 domains.

Any help would be appreciated.

Bryan James
(please put tech republic in any subject line so my mail filter doesn't eat any relpies)

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Check with Lord Infidel, but BBIagent

by admin In reply to Limit Users by Site, Not ...

should do this. I played with it and it's quite effective :) what you are asking, I think, is to just make a rule at a firewall to deny all and then write some rules above it to allow specific sites. Make sure you get them in the right order and youshould be fine :)

other things that work, small routers such as d-link etc. but there are security risks with many of them to be aware of- avoid trivial file transfer protocol, the inability to do stateful inspection etc. and choose ones that drop, not reject packets and allow you to drop pings, scans etc. I recently bought a Webramp700s (which is actually a sonicwall rebranded) and it does this, but they may be sold out as they were going for less than 10% of their original cost as they went out of business. You may not have worries as you are setting this up, as it sounds, inside your corporate firewall. At any rate, do a search at TR for BBIagent here at TR and read Lord Infidel's excellent remarks on the free product..... all you have to do is find an old dusty box, write a very few minutes full of rules and plug it in :)

Lord Infidel, if you read this, please chime in! I didn't actually write a deny * and then allow specific sites.... I also used ip... does it do host names? I didn't try host names... Thanks!

Collapse -

Couple of ways

by LordInfidel In reply to Check with Lord Infidel, ...

Using BBIagent (or anyother firewall)
[BTW- BBIagent I guess took my reccomendation and now charges 36 for the version that you can save rules with. The original (non-saving) rules version is still free)

Anyways, with your rules, make sure thatyou allow access to the sites first then a rule saying these IP's block, then your other rules.
Also, BBIAgent is not application aware, so unlike a proxy server, you will not be able to say, block access to But you will be able to block access to IP's or netblocks.

So it would look like this.
remote sites: (1) (2) (3)

internal IP's
rest of netwk

Access rules:
Invalid attempts goes here
DNS rule goes here first
allow from <1023 to dest1 pt 80
allow from <1023 to dest2 pt 80
allow from <1023 to dest3 pt 80
deny from <1023 to pt 80
allow from <1023 to pt 80
deny all to all (clean up rule)

The other way is to assign static IP's to the 3 people, remove their DNS server entries. Create a hosts file, map the fqdn to the ip for the sites that they are *only* allowed to go to.

They will be unable to resolve IP's then of any websites that you do not define in the hosts file.

Collapse -

Good Point.

by admin In reply to Couple of ways

simple, direct..... I like it! :)

Collapse -


by Bryan James In reply to Good Point.

Thanks I think Lord's Idea about removing the DNS is what I want to do. I'll have to figure out a way around certain other problems (E-mail etc.)
but I think that will work

Related Discussions

Related Forums