Blocking Software
 

How do I block access to the internet for a particular software on the network? E.g. I wish to block Internet Explorer accessing the web but allow Mozilla, etc.

Thanks

Crikey... that's rather difficult. The only way you can distinguish between the two is the User-Agent header that web browsers send. For IE it's something like:

Mozilla/4.0 (compatible; IE 6.0; Windows NT 5.1)

for IE 6 on Win XP. The (real) Mozilla on Linux:

Mozilla/5.0 (X11; U; Linux i686; en-US; rv 0.9.2) Gecko/20010726 Netscape6/6.1

but that varies. Also, Mozilla has a plugin available that allows the user to fake their user agent (as some sites still refuse access to non-IE browsers) - the same with Opera.

The best way I can see of doing it is using Squid (proxy server) - I expect it can be configured to scan for certain text in the request and act on it. I don't have any more details on Squid though, not very familiar with it.

I know you can set up rules based on remote hosts, ports, the web address and all the rest so I expect it could scan the headers for similar text and filter it.

HTH.

How do software like Symantec firewall resolve this as on Windows I am able to block a particular software and allow another using products such as Symantec Firewall? Are there similar products in Linux?

Hi,

Unfortunately, I'm not a 100% familiar with Symantec firewall, however, i'm use to a lot of Soho and personal firewalls.. What you are talking about, is not really cutting off IE, and Letting Moz through, but more limiting a service, based on port number. With products like Symantec firewall, you can do really blocking like "ALLOW FTP Traffic" or "Allow Web Traffic". I'm not sure what your knowledge is of TCP, but basically, with every service (Ie, FTP, Web, MSN, Unreal Tourney), there is an associated port number or range of port numbers. When you use a consumer level product like Symantic firewall, you generally are just allowing traffic to flow in and out of the ports you specfiy... So you are able to generically block all web traffic, but still not block JUST IE or Moz traffic.

On the topic of blocking a specific application under windows, i'm going to talk generically. Without being familiar with the product, i can still make the assumption that Symantic Firewall, like every good Norton product, infests (intergrates) itself on your system like a bad disease, and therefore might block the application from accessing the TCP/ip stack at the winsock level (or whatever they are calling it these days) Winsock is an API, or an interface to the ip based network services on your PC. To put this simply, Symantic MIGHT, replace or add some code to of the default winsock to do some basic applciation authenication.. So that only "ALLOWED" apps, can actually talk to the winsock api, and the rest are simply ignored..

If you are trying to block use of an application locally (I'm not sure why you would be since, IE without wine, doesn't run on linux), then consider just changing the application permissions., so the person simply can't execute the app..

How does this help you?.. Well, investage what you truly looking to do.. I'm assuming, you are talking about a personal firewall, that sits on the same computer as what your actually using. if you are talking about an environment where one PC acts as a router, and the rest of the computers on the network access the net through it, refer to the previous post about using squid.


I hope this helps abit

Ian Jackson

prosonik,

Thank you for your post. I wish to run a Linux Firewall on my home network which also comprises of 2 Windows machines. I wish to control via the Linux Firewall what software from the Windows machines can access the Internet as in my example, I wish to disallow Internet Explorer and allow Mozilla. I understand from your post that each software has a port it would utilise to access the Internet.

1) How do I find more information on these ports?
2) How do I block them?

I gather that from the past 2 posts I should use SQUID however would it work with what I wish to achieve? Also where can I download SQUID from?

Thanks

OK, first, comments on other info here -- Norton Personal Firewall definitely can control individual apps by name-&-location, *and* it can provide whole-computer rules for all programs that NPF is not specifically told about; I know, I use it on my (eek!) W98se boot.

Linux:

The usual (underlying) firewall in Linux is iptables.

Second, there are several firewall/helper/&c apps for Lunix. The only one I know at all right now is ShoreWall (Shoreline Firewall). This seems to offer to set up both of coverages that NPF offers Win-victims.

At the risk of providing info that is too advanced, modern iptables has an ability to use loaded kernel modules to "do things" with packets; accept, reject, rdirect, *modify*, etc. These modules can be written by (you) if-&-as desired, via gcc or equivalent. I will soon be adding some of these to my own computers & the servers I maintain. Sorry, I haven't started this yet, so I can't yet give any better details, but it is something to think about, if you know C-programming & know-or-can-find IP-packet details.

Good luck however you do it!

Robert G. Hays,

Thank you for your help and advice.

Blocking software
 

You're Welcome!

(& I hope it helped or even better yet that you already got it solved, given the age!

Robert.

If you're running an NT based (2k / XP) OS, you can disallow user access to IE through group or system policies ( Start > Run > gpedit.msc ). If you're using NT4, Start > Run > Poledit. Google and take your time when changing stuff in gpedit.msc / poledit.

IIRC for Win98 / 95 you can rename or move the IE executable so it can't be run normally.

Depends if your concern is users using an unpatched IE installation / crap browser or the system diallling out through IE.

Anyway, enough w32 stuff.

Pete

The only way you're going to be able to block it is to either run a program on the local machine (if you have access) to kill off I.E. processes or to run the filtering through a proxy such as Squid.

As both Moz and IE are web browsers - they use the same ports and so a firewall will be no good to you (lower level) - the only way in which is would is as Robert suggested, there *may* be a module available for scanning of the passing packets but as with setting up a proxy, you'll have to know about TCP/IP and the networking that's going on.

The only other thing I will point out is that Windows Explorer will use the same "User-agent" field when it makes HTTP requests - so there would be know access from that either. I don't know what the windows update system does so you'd have to either packet sniff it first or whatever to make sure you don't take out services you want!

well, symantec works locally, so it can use an upgraded version of netstat -o + checking PIDs to see what program is using what socket, and then allow or deny it.

Perhaps a well (very well) written squid ACL could do that... but not really usefull. The best way there would be to either deny access based on IP (or mac) or to configure a proxy and deny all other acces. Thus allowing mozilla but not IE (local configs both). But that won't work with smart users... :-)

anyway, my personal policy is to try and educate the users... If you tell them: here use MOZILLA because it's better than IE in this and that... then they might just turn to mozilla. And yes! you have mozilla on windows, I use it because I think IE is the biggest abberation in the world. It's like a bicilce by pioneer or B&W.