Brad's comment below is the right general response for giving a host limited access to the Internet, allowing it only to use a single service, but it assumes that (a) "just the LiveUpdate port(s)" has a useful definition and (b) "the LiveUpdate servers" is a well-defined group (by IP address).
As to the first, this URL ...
http://www.isaserver.org/tutorials/Allowing_Norton_AntiVirus_software_LiveUpdate_through_ISA_Server.html
... seems to say that the Symantec service uses the standard http and ftp ports, limiting the ability to control host access by controlling port access. And as to the second, we all know that ipchains- and iptables-based firewalls have trouble firewalling using FQNs that resolve dynamically ... I'll bet the relevant Symantec ones do.
So the access problem probably has to be controlled -- either enabled or blocked, depending on the goal -- at the application layer.
In Homer's position ... he wants the hosts generally to lack Internet access, but to have this one, restricted form of access ... I'd look into using a proxy server for these hosts and having it filter requests based on URL. I believe both Junkbuster and Squid can do this.
If I had the opposite need ... wanting to block selectively access to this service ... I suppose I'd have to do the same thing (use a proxy server), since services that use the standard http and ftp ports are hard to block while giving a host general access to the Internet.
I would be interested, though, if anyone has a better approach for controlling access to services that use port 80. So many services are switching to using port 80, either as their principal port or as a fallback, that it's becoming more and more difficult to use firewall-based controls that work at the address and port layers to restrict outgoing traffic. Making control difficult is, often at least, the purpose of the selection of port 80, so I wonder how network managers are dealing with this fairly new problem. Are proxy servers the only real answer (and how good a general answer are they)?
At 11:23 AM 1/30/03 -0500, Brad Fritz wrote:
Homer, Jumping in kinda late here...apologies if I am missing the boat...On Thu, 30 Jan 2003 09:29:21 CST Homer Parker wrote: > On Thu, 30 Jan 2003 11:09:24 +0100 Erich Titl <[EMAIL PROTECTED]> [...] > They are blocked at the firewall at the managements request... But, > they want to keep the virus defs on those machines current, so I'm > trying to find a way to handle that... One way to do that would be to put those machines in their own zone, assign a reject policy from that zone to the net zone, and then add a rule to allow traffic to just the LiveUpdate port(s) on the LiveUpdate servers.
-- -------------------------------------------"Never tell me the odds!"-------- Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] ------------------------------------------------------------------------------- ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
