2

We have a small office setup of less than 100 people. We have 2 ISP connection which come into Load Balancer and from there to Linux Firewall i.e. Shorewall. Now from Shorewall its goes to Switches and from Switches to Local LAN.

Now my question is that how can I centrally (As an admin) block specific websites ? Is there any configuration in Shorewall to achieve this ? If not then Is there any other way to achieve this without any hardware firewall or Any paid third party softwares ?

Any suggestion ?

RjV
  • 161
  • 6
  • Just an idea......There are lot of solutions out there except hardware boxes. even you can use proxies such as https://www.pfsense.org/download/ (Pfsense is a loadbalancer+proxy+gateway you can use it in multiple ways.) . You need a somewhat powerful computer (Preferably a server machine). and it has gui option to block /unblock urls and . But you might feel like having basic support if you dont know what a proxy server is. (I dont assume so .. just fyi) – Aravinda Sep 09 '17 at 14:07

4 Answers4

1

If you manage the DNS a simple way to block is by creating a zone there for the website you want to block. I done this trick often for facebook and service like dropbox to prevent data loss.

It will not block some poweruser, but if they manage to bypass that it can easilly account for a termination for them.

yagmoth555
  • 16,758
  • 4
  • 29
  • 50
0

  1. Check your firewall's "web filter" features at first.

  2. Setup a mirroring port in your switch, then you can setup a "passby internet filter program" to filter websites.

https://www.google.com/search?newwindow=1&q=passby+internet+filter+program+for+network

gargoyle
  • 1
0

For a small business, you may find that OpenDNS would be an excellent option, as it includes a web filtering platform that allows for white or black listing specific sites.

Davidw
  • 1,222
  • 3
  • 14
  • 25
-3

Well if you have your firewall as a linux OS you should be able to just block that website's IP address using IPTables which it seems thats what Shorewall is. The IPTables way would be:

  • Run nslookup website.com and get the IP address of what it resolves.
  • SSH or login to the linux firewall in CLI mode and run sudo iptables -A INPUT -s <ip of nslookup result> -j DROP and sudo iptables -A OUTPUT -d <ip of nslookup results> -j DROP.

This will drop any incoming and outgoing TCP connections to and from the website and the website will just not load at all. As for this being available in Shorewall if you dont want to do it the "linux" way, then i found this documentation in the Shorewall website http://shorewall.org/NetfilterOverview.html. Which seems like it will be doing the same thing i instructed.

xR34P3Rx
  • 197
  • 1
  • 3
  • 15
  • I wish I could downvote this. Using your 'Linux way' you are inserting a rule at the end of the INPUT chain that will almost certainly not get acted upon. The next time shorewall is reloaded or the system restarted it will be lost too. Better to use shorewall. What happens if for example the site is for example facebook - check it's IP addresses. – user9517 Sep 09 '17 at 07:34
  • Facebook would be a special snowflake because they have tons of addresses. Modifying iptables directly should work perfectly fine as that is what shorewall IS. If you even bothered looking at the website it clearly states "IP tables Made Easy". You would just have to inspect all the chains and find the best place to add the rule to. But really this should work fine. – xR34P3Rx Sep 09 '17 at 07:52
  • I am familiar with shorewall, unlike you I use it extensively, that's why I know your answer is rubbish. – user9517 Sep 09 '17 at 08:34