Best way to block ALL sites except one??

[QwertyJuan]

I have been looking at different solutions.... in your opinion, what is the BEST way to block all sites except for one or two sites, so that no other sites will work?? I am looking for something cheap/free if possible.

I currently have a 2k8 server running, but I don't see anywhere in GP that I can do this?

Thanks.
QJ

 

[Monkey God]

Use a default firewall rule that blocks everything, then add the exceptions.

 

[QwertyJuan]

Use a default firewall rule that blocks everything, then add the exceptions.

Ok, that is a great idea. But I can't seem to find that option on my Smoothwall, or on a D-Link router I had here laying around.

 

[StarTrek4U]

Ok, that is a great idea. But I can't seem to find that option on my Smoothwall

All you need to do is set a firewall rule that says from your internal network to any external ip over port 80 (and perhaps also 8080 and 443) deny the traffic, right above there put in the same rule but allow the IP of whatever site(s) you want to go to for the destination IP

 

[k1pp3r]

Steady state

 

[QwertyJuan]

All you need to do is set a firewall rule that says from your internal network to any external ip over port 80 (and perhaps also 8080 and 443) deny the traffic, right above there put in the same rule but allow the IP of whatever site(s) you want to go to for the destination IP

Any idea how to do this on a Smoothwall??

 

[QwertyJuan]

Steady state

From what I see, it looks like GP, without having to have a server OS?? Or is it more than this??

 

[Lateralus]

Obvious solution would be a firewall rule.

If you don't have the means to do that, I found this suggested online...might be worth a try:

Disable the DNS CLIENT, the DHCP CLIENT, set the IP addresses manually and in the HOSTS file tell where this server is. Set the DNS entry as 127.0.0.1 so DNS lookups fail.

Set the home page of the web site as the 'the ONE.'

How many clients are we talking about here?

 

[k1pp3r]

From what I see, it looks like GP, without having to have a server OS?? Or is it more than this??

It does much much more, but you can use it to lock down just the internet

 

[marley1]

fake proxy, and allow the one site =)

 

[Nocturnal]

Just had to do this for a computer at work. I used Steady State. Steady State uses a proxy to whitelist whatever site you want to allow. The rest are blocked. Also make sure you change all the other settings so that they can't get to the IE settings otherwise they'll be able to remove the proxy.

 

[jiminator]

i'd go with the dns hack on the tcpip stack and the hosts modification
don't need to download anything, no router changes and easy to undo
just know that 1 site often will pull content from other sites.

 

[rxteenager]

I second the imyourzero, that's what I actually use at work. for 30+ clients. All you have to do is a simple bat to copy the host file + modify dns settings and all 30 clients took me less than 20 minutes. Now the only thing that can mess this up is if the person were to click on "repair" then that gets rid of your dns mod. Have you tried openDNS, I heard some very good things about it.

 

[mhenley]

OpenDNS is great for limiting certain sites, but not blocking all but one. BTW, if you wanted to prevent people from clicking "repair" just change the local security policy to prevent people from doing so for those in the users group.

 

[QwertyJuan]

Obvious solution would be a firewall rule.

If you don't have the means to do that, I found this suggested online...might be worth a try:

Disable the DNS CLIENT, the DHCP CLIENT, set the IP addresses manually and in the HOSTS file tell where this server is. Set the DNS entry as 127.0.0.1 so DNS lookups fail.

Set the home page of the web site as the 'the ONE.'

How many clients are we talking about here?

About 60

 

[QwertyJuan]

Just had to do this for a computer at work. I used Steady State. Steady State uses a proxy to whitelist whatever site you want to allow. The rest are blocked. Also make sure you change all the other settings so that they can't get to the IE settings otherwise they'll be able to remove the proxy.

Using GP, EVERYTHING is currently locked down.... they can't even right click! Gotta love GP!

 

[QwertyJuan]

I second the imyourzero, that's what I actually use at work. for 30+ clients. All you have to do is a simple bat to copy the host file + modify dns settings and all 30 clients took me less than 20 minutes. Now the only thing that can mess this up is if the person were to click on "repair" then that gets rid of your dns mod. Have you tried openDNS, I heard some very good things about it.

I could use OpenDNS, but then I'd have to have some computers on the network with the OpenDNS dynamic updater, as there is no static IP available. But I'm planning on using a router that load-balances and shares TWO internet connections, so not sure if the OpenDNS updater would work.

 

[QwertyJuan]

I currently installed K9webprotection on a test machine, and blocked EVERYTHING including unrated sites, and it seems to have blocked EVERYTHING on the internet... I can't seem to access any page whatsoever. Then I added hardforum.com as a whitelist, and it let me here. I just didn't want to have to load a "free blocker" on every computer to do something I could have done centrally. I HATE having to go around to a bunch of computers to do something that "should" be able to be done at the router or server.

 

[jpochedl]

You can do it centrally... depending on how your systems are setup...

If you're running an Active Directory domain, a combo of login scripts and Group Policy could take care of the issue centrally. (Centrally administered down to the clients at least.) Use GP to lock down the client's ability to change network settings, and change DNS on the 2K8 server so it does not go out and resolve external names (you don't want to totally bork DNS resolution in an AD enviorment). Then update the HOSTS file on the clients with a script for the domains you want... (Or I suppose you could put the domains into DNS, but then you'd have to manage zones which aren't really yours... Not really a recommended solution.)

If you don't run AD, then do you run your own DHCP and DNS? If yes, you could limit your client's ability to resolve names... A bit of clever scripting can connect to the shares on the client computers to update the HOSTS file again... (and make sure you lock down the ability to use external DNS to authorized clients at the firewall....)

I could probably think of other ways to hack a solution to work, but really, the best place to control access to remote sites is at the firewall. If your firewall's not up to the task, get a better firewall...

 

[StarTrek4U]

Any idea how to do this on a Smoothwall??

Read the admin guide?

 

[joblo37pam]

fake proxy, and allow the one site =)

This is what I would do, as long as IE is the only browser installed. Just configure the proxy via GP and you're good, no extra software needed and you could easily pick and choose which computers receive the GP if you have a well organized domain.