1

How do I restrict users so that, they can only go to certain websites? What devices do I need? And how to configure the settings? Please guide me.

(I was thinking using firewall, set the ip addresses thats allowed to visit. Is that all?) I am new to system administration stuff. Please bear with me.

2 Answers2

7

You need a proxy (which can be built into normal firewalls, or can be special devices, or can be "application aware" firewalls).

Something like squid is very, very common. You can configure it as a transparent firewall if it's on your gateway (in a firewall such as, say, pfsense). Another common one in the Windows world is ISA/TMG.

These solutions all work by actually inspecting the traffic as it flows through the device. Simply blocking IP addresses isn't a particularly good solutions, because a sites IP address may change, or there can be literally thousands of sites sitting on the one IP address. By inspecting the traffic, you can block by:

  • Domain Name (e.g. block facebook.com)
  • Request String (e.g. block anything with ?myrequest=asdf in the URL)
  • Content Returned (e.g. block anything with the word "chicken" on the page)
  • Content Headers (mime types, e.g. block RAR/ZIP)
  • Content Length (e.g. block downloads > 5mb in size)
  • Virus content (i.e. you can actually do virus scanning on the fly as the file is downloaded, blocking it at the edge of the network, not on the local machine)

etc etc. Most devices will even compile a nice report for you to give you a breakdown of your users browsing habits. Top websites, times of day, content types, etc.

The majority of them (like squid and TMG) also include caching, so oft-made requests don't have to go out to the internet and back every time (e.g. the google homepage)

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • Very well explained. Thanks man, I will look into squid. If let say, I have, windows, unix and linux users in my environment, will it effect? – alexandriaco Aug 16 '11 at 01:52
  • 2
    @alexandriaco That's the nice thing about web-proxies like that, they don't care what the client is running. – sysadmin1138 Aug 16 '11 at 02:10
  • @alex - as sysadmin said. The platform that the proxy runs on is irrelevant in terms of client access. Just as long as they support the protocol you use (Squid can be "transparent", which works with *everything*, or if you want to run it on something that's not your gateway, i.e. a dedicated machine, then you need to specify the proxy settings in each browser/device to connect to it) – Mark Henderson Aug 16 '11 at 02:18
0

There is a Linux distribution called ClearOS that uses squid and a combination of other associated things in a fairly easy to use and setup system. I had a similar situation as you earlier in the year, and this helped me out a great deal.