Re: Firewall doubt about blocking webmail sites
On Wed, 24 Oct 2001, Marinho Paiva Duarte wrote:
> I would like to know how can a block webmail sites like yahoo? I trying to
> do it because 70% of my network traffic is of people getting their e-mails
> in these sites. Many people said to block by ip address, but there is
> several machines awnsering connections in these sites. I don't know all
> the ip address... And and don't want to know, of course.
Aah, the perennial problem of access control.
The firewall solution only works if you know all of the IP addresses that
you want to block. Visible load-balancing, of course, makes that decidedly
harder, so we go to the next level of interest.
Block all direct web access to anywhere. Set up a squid or similar proxy
and block access by domain. Problem solved.
If you don't want your users to have to set proxy settings, do it
transparently.
Note that it only works for servers on the default Web port, and there are a
variety of ways to get around it (none trivial, but nonetheless they exist).
<rant type="political" style="coherent">
The long and the short of it is that if network policy prohibits accessing
these sites, yank the person's account. If policy does not prohibit access,
then there's no problem.
</rant>
--
-----------------------------------------------------------------------
#include <disclaimer.h>
Matthew Palmer
mjp16@ieee.uow.edu.au
Reply to: