Topic: deny internet access to a user

[ProStar]

Is there a way to block some user from accessing the Internet with SME (5.1.2 or 5.5)? The reason I'm asking this is because I want to block somebody from using MSN (chat). The person I'm talking about is misusing the access and I'm getting a lot of complaints.

I know it is possible with the ServiceLink version, but this is currently not an option.

If you do it bij firewall rules, please detail the solution. I know my way around linux, but I'm not a firewall guru.

Other information:
- I cannot block based upon IP (or I would prefer another solution)
- Other users should be able to further use MSN

Tnx in advance.
ProStar

[ProStar]

PS: I do not want to work with authentication, since this is not an option (my dumb users do not even want to remember a password).

ProStar

[BillNe]

From: http://messenger.msn.com/support/firewall.asp it looks like all you have to do is block TCP 1863 and 5190.

I am not one of the gurus, but it seems like all you will have to do is go to the port forwarding control in the server manager and forward them to a non-existant address.

Way back before I knew the beauty of E-Smith and was plugging away with IPChains, it seems like there was an add-on I had to put in to make MSIM work. Too long ago to remember....

Would another possible approach be to put a policy on their PC that will not allow msmsgs.exe to run?

Good luck.

Bill

[Nathan Fowler]

/sbin/ipchains -A input --source --destination 64.4.12.31/24 -j DENY

BillNe, be weary, MSN will port hop until it finds an open port, it isn't limited to a specific port.

Yes, MSN messenger talks to hotmail.com, more specifically:
msgr-csX.msgr.hotmail.com where X is a number.

Name:    msgr-cs1.msgr.hotmail.com
Address:  64.4.12.30

Name:    msgr-cs2.msgr.hotmail.com
Address:  64.4.12.31

I think that should do what you want.  You could always add it to /etc/rc.d/rc.local if you don't want to template it.  If you really want to get advanced I recommend reading the Ipchains How-To, there are a plethora of options available.

Hope this helped,
Nathan

[prostar]

Tnx, the last answer should do the trick.

prostar

[Maggard]

Just a warning from an old hand at IS administration - you're walking down a path that can get ugly. What you're really facing is an Management/HR issue - someone misusing resources / wasting paid time / etc. Blocking someone's MS Messenger is a fine technological quick-fix until they discover AOL IM, or Yahoo Communicator, or Trillian, or any of the Java-based chat sites...

Personally I'd suggest steering as clear as possible from being the back-door solution to the problem. The problem will still be there now you've just embarked on a game of cat and mouse with you in the loosing role. Don't get stuck playing netcop but get the person's supervisor to do their own job and *supervise* the person, or un-install Messenger and tell them if this application or it's ilk re-appears on their PC they're gone, or just tell them they're not performing properly and if things don't shape up they're out.

Today it's MS Messenger, tomorrow it'll be excessive email to their beau or buddies, next week it'll be something else equally inane. Get out of the business of filtering / scanning / trapping / babysitting and put this back to where it belongs: Management/HR. If that is still you then best confront the issue head on before you've set bad precedent and have lots of little fires to put out.

Your Milage May Vary

[Greg Allt]

I agree, it is a slippery slope and one that is more of a H.R. issue than a technology one.  That person could just as easily bring a book into work and read that when they should be working.  A technological solution will not deal with that scenario.

[Chris]

Not being a Linux guru, is there a simple 'nuf way to restrict ALL internet access for a given user based on time of day?

[Marsorry Ickua]

I used to use Mandrake Linux for my firewall/gateway and had a Linux Guru install the server for me.  We were able to limit Internet Access from users using IP Addresses as well usernames and passwords (that was excellent and provided nice ways of controlling and monitoring access.  Now, we're making use of the excellent features of email access provided by SME, but I can't limit internet access by IP or by password anymore as I used to with Mandrake Linux.  Is there an easy way of being able to do this with SME or is this not possible?  Unfortunately, I know next to nothing about Linux, but I'm a keen learner!

Any help will do.
Please email me with any response whatsoeve @ mickua@agribank.com.na - Your help will be highly appreciated.

Marsorry Ickua
Net. Admin.
Agribank of Namibia

[Marsorry Ickua]

I used to use Mandrake Linux for my firewall/gateway and had a Linux Guru install the server for me.  We were able to limit Internet Access from users using IP Addresses as well usernames and passwords (that was excellent and provided nice ways of controlling and monitoring access.  Now, we're making use of the excellent features of email access provided by SME, but I can't limit internet access by IP or by password anymore as I used to with Mandrake Linux.  Is there an easy way of being able to do this with SME or is this not possible?  Unfortunately, I know next to nothing about Linux, but I'm a keen learner!

Any help will do.
Please email me with any response whatsoeve @ mickua@agribank.com.na - Your help will be highly appreciated.

Marsorry Ickua
Net. Admin.
Agribank of Namibia

[Nathan Fowler]

http://forums.contribs.org/index.php?topic=4845.msg16885#msg16885

[Marsorry Ickua]

Nathan, all I see is a link that points right back to this page - is there something you wanted to help with?  I can tell that you're a heck of a lot more knowledgeable than I am at this, so anything will do - I just need some point where I can start...  My previous efforts all lie with Microsoft Technologies & want to make the switch to Linux... Please refer to posting Listed "Marsorry Ickua - 10-02-02 13:56"

Thanks