Thanks, I didn't think it was gonna be possible (easily), but I thought I would give
it a shot in case the pros had some black magic way of dealing with it ;) Iam going
to look into the proxy suggestion and see what I can do.
James
>>> Bennett Todd <[EMAIL PROTECTED]> 02/08/00 02:03PM >>>
2000-02-08-13:44:01 James Paterson:
> Does anyone know of a way to block http downloading of files with
> firewall 1 running on Solaris, [...]
Easy --- just block of all ports except those you want to allow;
ensure that the ones you allow don't include 80 (http) or 443
(https); and only permit those you _do_ allow to specific hosts
known to offer the services you're wanting to permit. So e.g. if you
wanted to allow outbound email on port 25, only allow it to a
designated relay machine, since anyone who wanted to could run an
http daemon on port 25, and clients wouldn't have trouble getting at
it.
> [...] without of course, interfering with standard web traffic?
All that standard web traffic _is_, is downloading files with http.
The browser commonly elects to display the files, rather than
letting you save them on disk, but that's just a common browser
style, nothing visible in the network protocol. Some browsers allow
you to "download", as in save to a file, right from the cached copy
produced as a result of displaying the file --- e.g. links.
So what you are asking is impossible in principle.
Perhaps what you want is to direct your http traffic through a
content-examining proxy, that ensures that the files downloaded are
in some small handful of acceptable content types --- html, jpg,
png, perhaps gif, etc. Or perhaps you'd rather have your
content-type-examining proxy just _reject_ some list of content
types, although that'll be harder to make complete. Even this
approach is fraught; anyone who wants to get past it badly enough
can encode their file they want to download into valid html with
some difficulty, and can make it indistinguishable from a valid
image with great ease. A file extractor will be needed to pull the
files out, but the person who wants to get past your restrictions
badly enough can likely find a way past.
For this kind of stuff I'd look into perhaps modifying a caching
proxy to do detailed content analysis. Perhaps squid.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
