Restricting browsers to only listed websites
Tim
ignored_mailbox at yahoo.com.au
Thu May 9 20:21:35 UTC 2013
Allegedly, on or about 09 May 2013,
davidschaak1 at mobilicity.blackberry.com sent:
> Is there a way to allow a machine on the network to only access a
> small list of websites?
>
> I have a fedora 17 machine that is hooked to a tv that I only want to
> access a couple of sites for movies. This is accessible to everyone
> and is only to be used as stated.
>
> I need the network up.
>
> A Cisco router is between the machine and the net that I do not want
> to reset. (Unauthorized to do so).
Possibly, you could write a proxy.pac file for the browser, and
configure the browser to use it to set up its proxy. You'd write the
proxy.pac file to allow connections through to specific sites that you
list, and then have an or/else kind of response for everything else that
just isn't going to make a working connection.
Something like the following:
function FindProxyForURL(url, host)
{
if (isPlainHostName(host) ||
dnsDomainIs(host, ".example.com") ||
dnsDomainIs(host, "localhost") ||
dnsDomainIs(host, ".localdomain") ||
dnsDomainIs(host, ".google.com.au") ||
isInNet (host, "127.0.0.0", "255.255.255.0") ||
isInNet (host, "192.168.0.0", "255.255.0.0"))
return "DIRECT";
else
return "PROXY false.or.firewall.address.that.allows.no.traffic.example.com:3128; DIRECT";
}
If I recall correctly, it's a JavaScript scheme, so there's probably a
lot more that you can do with it, if you look up how to write PAC files
(proxy access control files).
In my case, I was using the file to allow direct connections to the
first few listed addresses, and everything else would go through the LAN
proxy. You'd either use a blocking proxy, or list an address that was
simply not going to respond, therefore connections would fail.
Test this out carefully, I suppose that some browsers may eventually
give up on a failing-to-respond proxy, and might try bypassing it.
-------------------------
Another solution is a DNS server running on the same machine. You could
configure it to forward queries for your allowed domain names to name
servers that would provide correct answers, or simply have your name
server get the answers, itself. Then use a wildcard record that
answered everything else incorrectly (so connection attempts would
fail).
I've done this the other way around (failing specific addresses and
allowing everything else to work normally), but it ought to be possible
to do it both ways.
The PAC file approach may be simpler. It can simply be a local file on
the same computer as the browser.
--
[tim at localhost ~]$ uname -rsvp
Linux 3.8.8-100.fc17.x86_64 #1 SMP Wed Apr 17 17:15:40 UTC 2013 x86_64
All mail to my mailbox is automatically deleted, there is no point
trying to privately email me, I will only read messages posted to the
public lists.
My apologies for not including a virus with this message, but I don't
use Windows.
More information about the users
mailing list