Hi, how i'm going to block my users to download the exe files or go to the porn sites.
This is a difficult problem to address, and one not particularly suited to firewalls. FIrewalls are better at protecting LAN hosts (and themselves) from outside attack than they are at restricting the ways that LAN users can access the Internet. The reason is that these are application-level problems, for the most part, so they have to be addressed at the application level ... for the most part.
Examples:
1. .exe files and other sorts of active content can be received as part of e-mail messages. You block them by requiring your users to get their mail through an MTA/host you control, and implementing attachment checking on that MTA host.
2. .exe files can also be downloaded in any number of other ways, including http (Web browser), ftp, a slew of P2P applications, probably even Usenet. Depending on the application involved, you need either to use a proxy that can examine content (see next item) or block use of the service. Because many P2P applications have become very clever at working around firewalls ... falling back to port-80 use is now a common trick ... actually blocking these services is increasingly difficult at the TCP/IP layers (as distinct from the application layer).
3."the porn sites" does not identify unambiguously any particular content; one person's porn is another's healthy entertainment (or mass market automobile or beer ad). If you are talking about connecting to porn sites on the Web, your best bet is to block direct access to the Web through the firewall/router, require use of a proxy server, and use a proxy server that can do whatever sort of filtering you prefer to block access to what you consider to be porn. This might be using a remotely-maintained list of IP addresses, screening the content of every page downloaded to watch for "bad" words, completely blocking image downloads, or perhaps other things ... there is a whole industry that handles this sort of filtering, for example in the context of controlling access to the Internet in US primary and secondary schools.
4. If you can find someone who has a list of IP addresses of "porn sites" that match your criteria for porn, you can use a firewall approach to block *all* access (all direct access, anyway -- see closing comment) to the site. The details would depend on how the list of "bad" addresses is maintained, distributed, and updated, so I can't give you focused advice in the abstract.
5. Another approach for blocking access to Web-based porn is to allow access only to a "whitelist" of known-good Web sites. I haven't seen this approach used in a long time, but at least briefly it was tried as a way to create "kid friendly zones" on the Internet. Almost any set of adult customer would, I imagine, find this sort of limitation unacceptable, but I include it for completeness' sake.
To make any of these sorts of access restrictions work, you'd probably also need to block use of encrypted connections (https, ssh, various VPNs) to the Internet, since they could be used to tunnel past any local restrictions to access the forbidden content through remote proxies.
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
