I want to block users from getting to the internet with the exception of a handful of websites. I''m using: ACCEPT loc net:www.weather.com tcp 80 This works fine for some sites, but with sites like the weather channel, I only get partial content. I''ve looked at the source code and found that they use a lot of sub domains like images.weather.com. Other sections, even pull from domains other than their own or specific ip addresses (that seem to rotate). I''ve currently got a section of rules allowing about 15 different ip addresses out, but the addresses are changing every few days. What is the best way around this? (Other than constantly monitoring the shorewall log and adding ip addresses to the rules) ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Rob Ogle wrote:> I want to block users from getting to the internet with the exception of a > handful of websites. > I''m using: > ACCEPT loc net:www.weather.com tcp 80 > > This works fine for some sites, but with sites like the weather channel, I > only get partial content. I''ve looked at the source code and found that they > use a lot of sub domains like images.weather.com. Other sections, even pull > from domains other than their own or specific ip addresses (that seem to > rotate). > > I''ve currently got a section of rules allowing about 15 different ip > addresses out, but the addresses are changing every few days. > > What is the best way around this? (Other than constantly monitoring the > shorewall log and adding ip addresses to the rules)This is better done in your proxy server than in a packet filter like netfilter. I would suggest using a transparent proxy server setup as per http://www.shorewall.net/Shorewall_Squid_Usage.html -- Paul <http://paulgear.webhop.net> -- Did you know? Linux is a completely free operating system that provides a vast array of software "out of the box", and represents a viable alternative to expensive proprietary software. For more details, see: http://consumer.hardocp.com/article.html?art=MTI5OCwxLCxoY29uc3VtZXI ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Rob Ogle wrote:>I want to block users from getting to the internet with the exception of a >handful of websites. >I''m using: >ACCEPT loc net:www.weather.com tcp 80You can''t do that with a packet filter - you need to use a proxy that understands the semantics of the HTTP protocol and can filter based on the site name rather than the IP address. Doing what you have, the name will be resolved to an IP address at the time the firewall is (re)started and will allow packets destined to that IP address. Note that a server may host many (tens, hundreds, even thousands) different websites and the rule will allow requests to any of them. Also, many large sites have multiple servers and I''m not sure how that is handled by Shorewall. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On 5/28/07, Simon Hobson <linux@thehobsons.co.uk> wrote:> You can''t do that with a packet filter - you need to use a proxy that > understands the semantics of the HTTP protocol and can filter based > on the site name rather than the IP address.Squid proxy + squidguard, or dans guardian. Use a whitelist of sites with a default deny and not a blacklist. Prasanna ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/