Hi all!!
i Have seen that there are routers that just allow to view web content, i would like to allow to my clients just browser the web, no MSN, no radio, no video.
how i could do that?
Internet Restrictions
Message
- coolsnowmen
- Veteran
- Posts: 1479
- Joined: Wed Jun 30, 2004 6:52 pm
- Location: No.VA
blocking outbound access to TCP port 1863, and outbound HTTP access to messenger.hotmail.com. should stop msn
allow only requesting port 80 out....
block all incoming
and blocking ALL UDP access would stop streaming
(I think)
edit: it appears alot of things can still tunnel through TCP/port 80, (with the express purpose of evading filtering) so if something is getting through like that, you need to get even lower into packet/content inspection
allow only requesting port 80 out....
block all incoming
and blocking ALL UDP access would stop streaming
(I think)
edit: it appears alot of things can still tunnel through TCP/port 80, (with the express purpose of evading filtering) so if something is getting through like that, you need to get even lower into packet/content inspection
emerge: there are no ebuilds to satisfy "moo"
- coolsnowmen
- Veteran
- Posts: 1479
- Joined: Wed Jun 30, 2004 6:52 pm
- Location: No.VA
I am not experienced with it, I also don't like how the OSI model describes things
But I'll attempt and say 6/7, as the "tunneling" app is doing this to evade detection, I don't know how you block it. Except I understand the idea of fingerprinting the payload.
Say you accept the TCP/IP connection out to port 80, but the first String back says
"Contentent type: radio, prepare for music", and you match that and reject the connection.
As in, if layer 6 species protocol like http versus ftp, something could be TCP/IP over port 80 but not be an http stream. So then you filter out all non http traffic, and that is filtering at layer 6.
So the smart person, writes their app, to encapsulate their traffice on TCP.IP on port 80, in http, and you are non the wiser, now you need to filter at level 7
At least that is how I understand it, again, I've only done protocol(UDP/ICMP/TCP), IP, and port matching
But I'll attempt and say 6/7, as the "tunneling" app is doing this to evade detection, I don't know how you block it. Except I understand the idea of fingerprinting the payload.
Say you accept the TCP/IP connection out to port 80, but the first String back says
"Contentent type: radio, prepare for music", and you match that and reject the connection.
As in, if layer 6 species protocol like http versus ftp, something could be TCP/IP over port 80 but not be an http stream. So then you filter out all non http traffic, and that is filtering at layer 6.
So the smart person, writes their app, to encapsulate their traffice on TCP.IP on port 80, in http, and you are non the wiser, now you need to filter at level 7
At least that is how I understand it, again, I've only done protocol(UDP/ICMP/TCP), IP, and port matching
emerge: there are no ebuilds to satisfy "moo"
- coolsnowmen
- Veteran
- Posts: 1479
- Joined: Wed Jun 30, 2004 6:52 pm
- Location: No.VA