I have a computer running Windows 2000 Pro. Because of frequent abuse of internet priveleges, management has requested that internet access be revoked. I can assign a static IP address and leave the gateway (router) address blank. That will shut down access all together, but the user needs access to a app running on the company intranet (WAN). From what I been able to gather the app is Oracle and it hosted on a Unix server. From pinging it, I can see what port it communicating on. I assuming it is using TCP and not UDP. I thought about using TCP/IP Filtering, but from what I am gathering this only would affect inbound traffic. I need the end user to be stopped from getting to Port 80, but still allowing him to have Port 111 open. If your thinking stop him at the router level, well I don't manage it and local management and corp management have differing views on internet access in general. What can I do? I am not sure I really want ZoneAlarm or anything like that.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Block Internet; Allow Access to Intranet 1
- Thread starter Briandr
- Start date
An UGLY, but somewhat effective method of blocking Internet access would be to point DNS to non-existent IPs, or just wipe them out. Create a host file (I think that it is C:\WinNT\System32\drivers\etc\hosts in windows) that contains the loopback interface (127.0.0.1) and this host and its name.
Without DNS resolution, browsing is EXTREMELY difficult, but not impossible. But hey, it is a free alternative.
pansophic
Without DNS resolution, browsing is EXTREMELY difficult, but not impossible. But hey, it is a free alternative.
pansophic
That is what we effectively do here, enabling DNS for those who require access. All it would take is for somebody to use IP addresses instead but our users aren't that technically inclined.
Ideally we need a Proxy but we don't have one at the moment.
Ideally we need a Proxy but we don't have one at the moment.
- Thread starter
- #4
Thanks Guys. Much appreciated for the fast replies. Just to make sure we are on the same page, I want the internet disabled, yet still allow access to Unix (Oracle) server. Will doing as you suggest accomplish this? Am I taking the wrong approach with the IP Filtering? I know this only applies to inbound (then why on 2000 Pro?) but can I still make work on outbound as will with IPSec in the mix. Also, here is something interesting. When I setup IP filtering, I left only TCP ports 8000 & 111 open. No changes to UDP or IP. When computer re-booted, I can ping the Unix server. If I try to ping Yahoo! it resolves the name to the IP, but I get Request timed out. When I go to browse via IE, I get to Yahoo!. Is this normal behavior?
- Thread starter
- #6
I removed DNS and added in the line I wanted to the host file. Still cannot get to the web page by entering in address. I noticed that when the page is called when someone clicks, it always has an :8000 at the end. Now when I ping it on my computer from Dos, it gives me an :111. So know I am not sure where this thing is communicating on. I'd assume TCP, but is it Port 111 or Port 8000. Also, we still have WINS. I take it I want to can that as well as DNS? Reason being is I can still hit web sites within the WAN using WINS resoultion. So far works good, just need to get to that Unix server. Any ideas? Also, can I block popular IP addresses like Yahoo! or MSN. I am sure someone is going to go home, ping it and then write it down and bring it back the next day. Thanks for the help.
Well really your looking to do a lot of stuff, a proxy server would make your life much easier here.
Yes they could ping the address and type in the IP but when they click off the site they gained access to it would display an error. They would need to ping every single site they wanted to gain access too.
Unless it was through an anonymiser service, I wonder how it would work then.
Yes they could ping the address and type in the IP but when they click off the site they gained access to it would display an error. They would need to ping every single site they wanted to gain access too.
Unless it was through an anonymiser service, I wonder how it would work then.
- Thread starter
- #8
I know what your saying, but I have my hand twisted two ways. I think you know what I mean. I wish I could do it the right way and not have to get fancy. I have double checked via the ping of the IP address. I also checked my host file. Still can't get to the server? I have added in other servers to the host and can reach them. If I can just get to that one, then things will be fine.
Could you get to that host before? If it is correct in the hosts file:
192.168.1.1 UnixHost
you should be able to 'ping UnixHost' and it would start pinging 192.168.1.1. If not, then the host file is either not set up correctly, not named correctly or in the wrong location. You have to make sure that the file does not have a file extension. Windows editors are really bad about "fixing" that for you and putting .txt or .doc at the end. If it is identified as any other file type the "File" in Explorer, MS was at it again.
pansophic
192.168.1.1 UnixHost
you should be able to 'ping UnixHost' and it would start pinging 192.168.1.1. If not, then the host file is either not set up correctly, not named correctly or in the wrong location. You have to make sure that the file does not have a file extension. Windows editors are really bad about "fixing" that for you and putting .txt or .doc at the end. If it is identified as any other file type the "File" in Explorer, MS was at it again.
pansophic
- Thread starter
- #10
Before I left my message on this board today, yes. No bare in mind this Unix Server is somewhere across the WAN. This is what I get from IE (I edited out my company info)
This how I ping it from dos:
ping oracleapps.mycompany.com
This is how I got it setup in the host file
my IP address oracleapps.mycompany.com
Obviously I have my IP address above and not the sentence.
This how I ping it from dos:
ping oracleapps.mycompany.com
This is how I got it setup in the host file
my IP address oracleapps.mycompany.com
Obviously I have my IP address above and not the sentence.
-
1
- #12
Hi, If you don't have ISA, you can try this:
1. Do not touch the IP configuration or DNS.
2. Put the user with no internet access in same OU, apply the group policy for that OU, if you dont have W2K domain do it on local policy each machine.
Here is the policy: user configuration/windows settings/internet explorer maintenance/connection/proxy setting.
3. Add the proxy is 127.0.0.1 and Do not use proxy server for local (intranet) addresses.
4. If you want them to access some specific website you have to add Do not use proxy server for addresses beginning with.
Limitation: Max 256 chars, but that enough because you can use wildcards ex: *.goodsite.*
1. Do not touch the IP configuration or DNS.
2. Put the user with no internet access in same OU, apply the group policy for that OU, if you dont have W2K domain do it on local policy each machine.
Here is the policy: user configuration/windows settings/internet explorer maintenance/connection/proxy setting.
3. Add the proxy is 127.0.0.1 and Do not use proxy server for local (intranet) addresses.
4. If you want them to access some specific website you have to add Do not use proxy server for addresses beginning with.
Limitation: Max 256 chars, but that enough because you can use wildcards ex: *.goodsite.*
- Thread starter
- #13
- Thread starter
- #14
- Thread starter
- #17
It works good. I can get to only the sites I list, BUT the one site I need to get to it still doesn't let me through:
oracleapps.mycompany.com
I have tried:
*.oracleapps.mycompany.com.*
*.oracleapps.mycompany.com*
*.oracleapps.mycompany.com:8000*
Nothing I do allows me to get through.
oracleapps.mycompany.com
I have tried:
*.oracleapps.mycompany.com.*
*.oracleapps.mycompany.com*
*.oracleapps.mycompany.com:8000*
Nothing I do allows me to get through.
Hi,
Try *.mycompany.* --> allow connect to domain name that contains '.mycompany.':
--> OK
oracleapps.mycompany.net --->OK
data.oracleapps.mycompany.com ---> OK
---> Denied
For example I allow my users to go to 411 sites, I have to enter *.411.* and 411.*. If I put *411*, the can go to sites that contain 411.
Just play with '*' If that site have a link to another site, you won't see that link. You have to enter all the link (if you want them access to those link also)
Try *.mycompany.* --> allow connect to domain name that contains '.mycompany.':
--> OK
oracleapps.mycompany.net --->OK
data.oracleapps.mycompany.com ---> OK
---> Denied
For example I allow my users to go to 411 sites, I have to enter *.411.* and 411.*. If I put *411*, the can go to sites that contain 411.
Just play with '*' If that site have a link to another site, you won't see that link. You have to enter all the link (if you want them access to those link also)
- Thread starter
- #19
When you explained your last thread, you lost me. Could you explain one more time. Just so you know, I do understand what your saying. I can get to sites I list and everything else returns errors. This one site appears do load different pages. I am not sure if this is the route I want to take in this instance, but I am willing to explore it further. I still thought shutting the port would be the best route, but other opinions are welcomed as I grow frustrated with this.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question