Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

block access to URL

Status
Not open for further replies.
avputnam

avputnam

IS-IT--Management
Joined
Oct 23, 2003
Messages
93
Location
US
I am trying to block access to the certain sites (myspace.com, ebay.com)on PIX firewall. I created the Network Object group and added the IPs 216.178.32.48 throgh .56. Then I created the Access Rule/Security Policy to deny traffic from any IP address on inside to the specified Network object group. However, I am still able to open myspace.com web site. Am I missing a step?

I also read that it's possible to bypass the firewall rule by connecting to anonymous proxy server. How can myspace and ebay be block for good?

Thank you in advance.
 
Sort by date Sort by votes
To do that you will need a proxy/content filter like websense. They keep a list of external proxy servers, and allow you to kill sites or groups of sites based on a number of attributes.

Another ways to go about this - add DNS records on your internal DNS for the websites that you don't want and send them to 127.0.0.1

Myspace (and other online services) use round robin DNS or load balancing over different IP blocks to help stop DOS attacks. Make sure that you are blocking all of the IPs for those sites.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Brent,

Thank you for advice. By adding DNS records and sending them to the local host do you mean something like below?

127.0.0.1 127.0.0.1 home.myspace.com
127.0.0.1 groups.myspace.com
127.0.0.1 search.myspace.com

Where in the DNS console would I add the records (forward lookup zone/reverse zone)?

Is there a way to enter the range of IP instead of adding each IP as an independent DNS record?

Thank you,
 
Upvote 0 Downvote
The syntax and where depends on what OS your DNS server is. Put them in the forward lookup zone. I would add one for each higher DNS name.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
In the hosts file, no. Each host must be entered.

If you have an internal DNS server, then just add the zones as forward zones. Adding "myspace.com" to your DNS would be sufficient to cause lookup failures when clients try to access anything in that zone. That's definitely the easier way.
 
Upvote 0 Downvote
We have an internal DNS server.

I already have 2 zones in the forward lookup zone named after the DNS domain (DNS on server 2003).

Shall I create another zone in addition to those 2? In the help menu for the wizard, it talks that zones should be named after DNS domains for which the zone is authoritative.

If you recommend creating a new zone, shall a new zone be primary/secondary/stub zone?

Thank you.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
salanje87
  • Locked
  • Question Question
Block Broadcast storming.
Replies
3
Views
942
hairlessupportmonkey
hairlessupportmonkey
Sparrow4
  • Locked
  • Question Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
1K
Johnkite
Johnkite
gkreg
  • Locked
  • Question Question
asa 5500-x url filtering
Replies
0
Views
703
gkreg
gkreg
Shmid
  • Locked
  • Question Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top