On 13/07/12 00:36, I.S.C. William wrote: > Indeed it can be done with Squid Proxy even so I have my filters, the > detail is that Proxy can not control the safe harbor traffic (https) so > this should be done by Firewall. > > So my questions about how to block those sites.
The DNS method Simon suggested is probably not workable if you have some people who need access to Google and some who don't. Although a solution like OpenDNS might allow you that flexibility. The best option is proxy. HTTPS can be safely proxied. It can also be filtered at the proxy. The only thing you can't do is see the URLs being accessed on HTTPS sites. All you can do is block or allow the site. So my suggestion is: 1. Do not allow HTTPS out directly. i.e. block loc2net (or whatever your local zone is called) for HTTPS. 2. Force all network devices to access HTTPS sites via proxy. 3. Use proxy to block or allow sites as needed. Another (overkill) option is to find the netblock used by Google at your location (e.g. mine is 74.125.0.0/16 for google.com, 173.194.0.0/16 for gmail.com, etc.) and DROP/REJECT traffic to the whole netblock. Paul ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
