Hello,
I need your help to make two filter rules, i think.
I have a client that have 5 stores. And in every store have two PCs. He wants that the PCs only access to the website www.cnn.com (151.101.133.67), and drop everything else.
I cannot hit the correct rule (i think inside the cnn page, there are some links to youtube) and the page doesnt open correctly.
How can i solve this?
I appreciate your tips
Regards
There is no “easy” way to solve this. As you found out, pages like that have content from other sites embedded,
and even when you would allow all those extra sites they are varying day by day.
So you will have to explain to your client that what he wants is not feasible.
Thanks for your quickly reply pe1chl.
But even if i open for ex youtube IPs in firewall riles for the embedded page code, and the IP address of CNN, the page only open a half.
There are no other way, that i can try to configure?
Sorry my insistente.
Regards
If you use Firefox install Noscript and you can see easily which sites you need to have to have a complete page.
I would tell him only FoxNews has that option.
I hate to say it but the folks that are looking to tame Internet browsing traffic have a much more difficult road ahead of them than in years past. I think it’s going to take a few years for customers and some engineers to adapt to this situation.
1, more and more web-content is going SSL making it even harder for you to reliably intercept the communications with a layer 7 aware device. You can install a solution capable of performing SSL man-in-the-middle decryption but you’ll still face the second problem (which you’re already fighting with).
2, web nerds love them micro-services. This is the fragmentation of their content into ever narrower domains of responsibility. Like you’re finding with embedded YouTube content. Anything else they can break out from the regular core web-site they will. The trend is only gaining steam. This is going to result in more and more layer 7 domain names to look for or at layer 3 more IP addresses to allow and they are ever more likely to change on a whim.
So, even if you install a SSL decryption box and add the current IPs to a web-site to an allow list it is likely to change tomorrow. The number of connections are also going to begin to hamper those beloved NAT boxes of the IPv6-deniers as well.
A last ditch option: You can pretend the Internet doesn’t exist and refuse to use it.
A better solution: Hire people you trust will use the Internet responsibly or don’t make it accessible from the work connection.
Have you tried NAT to capture all DNS requests with action “redirect” and then block by DNS name?
Hi Normis,
Yes, i´ve tried your suggestion, but is the same result, i.e., i can block everything but only open a half page of CNN (because the embedded code of the page to another sites)
I have no more ideas
I recommend you to use a less dynamic site than a news site with all kinds of widgets that change all the time.
E.g. try Wikipedia.
Tell him to use http://lite.cnn.io/en