Filtering internet- how do I allow only certain websites?

I have a workstation and I am trying to block access to the whole internet except for a few websites. I have tried setting rules, but I am unable to access the sites I need to.

Can someone help me create the rules needed to block everything except for 4 sites?

Thanks!

svdodge,

Are you trying to block Outbound connections (ie, your browser can only connect to 4 sites), or Inbound (as in, unsolicited connections)?

What about email?

And finally, what rules have you already created/changed?

LM

I’m trying to block outbound connections (so that the user cannot access anything I don’t want them too).

Outlook/Email is not used, though they will be accessing our Outlook Web Acceess page.

I’ve setup TCP/UDP in/out all port allow rules for one of the sites. I started with using the domain, didn’t work. Then I watched the activity log and wrote down the IP addresses that popped up when I tried to browse to the site. I then added those to similar rules, but nothing works.

Okay, here’s how I would approach it.

First, you don’t need In/Out rules in the Network Monitor; you only need Out. The Inbound response to the Outbound request for connection will be allowed as a response. An In (or In/Out) rule means you are allowing an unsolicited Inbound connection (ie, potentially allowing a hacker).

That said, in the Network Monitor, for each website you want to Allow, I would Add a rule at the top of the list, since it filters from the top downward. You can do this by right-clicking on the current Rule ID 0, select Add/Add Before. The only caveat to this “top of the list” thing would be if you’re on a LAN where you’ve defined that as a trusted Zone; in that instance, these would fall right below those two rules, thus started at Rule ID 2.

The rules will be structured as:

Action: Allow
Protocol: TCP/UDP
Direction: Out
Source IP: Any
Destination IP: Hostname: (enter the web address, such as www.comodogroup.com)
Source Port: Any
Destination Port: Any

I think it’s best to use the Hostname option, since there may be issues with IP addresses of pages, etc.

Following those rules, you will want to make sure you remove the default Allow TCP/UDP Out Any,Any,Any, Any, as those would continue to implicitly allow traffic to any site.

Here’s the “rub” side of it - you will also need to create rules to allow any other applications Outbound access, that use those protocols, such as for automatic (or even manual) updates. Which means pretty much everything… :wink:

You may further “tighten” things up by changing your browser rules (in the Application Monitor) to match those in the Network Monitor. So for example if you have four websites you’re allowing, and you use IE7, you’ll need four rules for IE7 in the Application Monitor; one for each website. You’ll use the Hostname option again, under the Destination IP tab. While this isn’t necessary, it may help identify rules - especially as you add Network Rules for each updating application. If the Network Rule matches the Application Rule, it helps keep things organized (although with a lot more rules, potentially…).

LM

No need. Just put an HTTP & HTTPS blocking rule before the TCP/UDP Out Any Any Any Any rule, i.e. :

Action: Deny
Protocol: TCP
Direction: Out
Source IP: Any
Destination IP: Any
Source Port: Any
Destination Port: 80, 443

Of course, if a site is not accessed through the standard ports 80 (HTTP) and 443 (HTTPS), then you may have to block that port also. You may also consider blocking ports 8080, 8000, and 4480, as these ports are the most common ports for proxy servers.

I’d rather install a proxy which explicitly allows only certain sites, configure it to have a unique port number e.g. 52341, configure the browser to use this proxy, and block all outbound accesses to ports 80, 443, 4480, 8000, and 8080.

However, remember that it is (currently) very trivial to bypass this mechanism: Just right-click on the CFP icon, and set the mode to “Allow All” :frowning: . . . gosh! I really wish CFP has password protection :frowning: