Link to home
Create AccountLog in
Avatar of mrrgregl
mrrgreglFlag for United States of America

asked on

How can I lock out and deny ALL internet access to a specific computer on a P2P network?

I have a unique situation where I am putting a two computer P2P network on a commercial boat and I need to deny ALL internet to the second computer on the network (the primary computer connects to a mobile satellite terminal for data, email and internet access).  Unfortunately this network uses a switch and not a router.  I am told that I can configure a dummy proxy in IE and that will do it.  I have also been told that I can modify the Host file to control this but it must be a set once and keep secure solution.  The satellite terminal on the network is IP based with a private static IP, and includes limited DHC and DNS control but it is not a router.  All suggestions greatly appreciated - Greg
Avatar of zoofan
zoofan
Flag of United States of America image

If you remove the default gateway and dns server address from pc 2(assuming you dont need these to connect to pc 1 which you shouldnt for peer to peer) itwill have no address to forward remote packets too, nor will it be capable of resolving any thing externally.  It in a nutshell allows it only local access.  The only the pc can get around this is if you do in fact have a proxy server and the browser is configured to use it, or if you have a vpn/firewall client on pc 2 that is configured to use a proxy/isa server to provide access.

Basically, remove any vpn client/firewall client software,  remove any proxy settings, and remove Default gateway and dns server addresses from IP configuration and it will only be able to communicate locally.  


Option two,  feed the satalite switch into a cable router(linksys/dlink) configure the router wan port with the satalite connection information(what is currently on pc external nic), and then configure your pc1 as needed on the lan side.  The router in the middle will allow you to block specific lan ip's from access to the wan(pc2), and this will also afford you a mild firewall for your lan(pc1) assuming you set up forwarding/filtering rules correctly.



zf


Option 3 is a make shift of option one,  remove the tcp/ip protocol from pc2 and install NETBEUI protocol on pc1 and pc2.  No routable protcol equals no external access period!!


zf
Avatar of mrrgregl

ASKER

zoofan - thank you for your comments.  Option 2 is out as the vessel is currently in Dutch Harbor, Alaska and will only be there for 24hrs.  I don't have time to get a router, reconfigure it and get it to them (I am in Florida).

For Option 1, this sounds possible if it doesn't interfere with other network communications between PC2 (the one that I do NOT want to have access to the internet) and the primary PC1.  My application is this: PC2 has a local email client on it.  Users on PC2 need to be able to send/receive email but do it through the email "server" on PC1 over a LAN connection.  Will this be secure to the point that a User on PC2 will not be able to reconfigure it?

You did not comment on using the Windows System Hosts file to control access, is this thought way off the subject? - Greg
I just did not see the host file as an option at the time of my posts.  But given the new information, you can not go with option three as you need tcp/ip for the email client(Im almost positive but not 100%) and as you stated option two is out.  And given your application needs you must have resolution.(but only local)


Option one still stands,  adding your host file.

Removing the dns server and default gateway will prevent the pc from external access but you will need to make an entry in the host file so that pc2 can resolve the email server/domain on pc 1

IE: in the host file
192.168.100.1             emaildomain.com # change to pc1 IP



One hang up in this configuration is if the user has admin rights and a little insight they can simply get the dns and default gateway from pc1 and enter it in on pc2.  If they do not have admin rights they wont be able to change it.

zf


Other then this if the users have admin rights they can (and may) do what they want with it,  from a pc standpoint it will not change itself nor will it have external access.


This is the only option I can see given your time frame and distance limitations.  If you had time and/or physical access you would have a few more options but none that cant occomplish anything more then what this does,  biggest difference would be preventing(or making it much harder for them to undo) the end user from changing it.


zf
One other note on using this configuration.

It is taking the assumption that pc2 is NOT getting its ip configuration via DHCP.  Statically assigned ip and mask, leave out gateway and dns add host file enty.


zf
Zoofan - Thanks again.  One comment, I am not certain that PC2 requires TCP/IP for the email client, only file sharing.  I am checking this now and will revert asap - greg
ok,


will be up for about an hour then off for the night.  post back if needed.


zf
zoofan - Attached is an excerpt from the User Manual for the Email program (called SkyFile, www.skyfile.com).  I am not sure if such file sharing requires tcp/ip or not - what do you think? - Greg
SkyFile-Mail-LAN-instl.doc
have read the doc, checking the site next.  From what I can tell there is no client app(sorta) its simply a file share on the single pc that each remote runs over the network so I would say based on this,  option three is your safest best bet,  netBEUI only(remeber pc1 and pc2 need it to talk) remove tcp/ip all together from pc2 as NETBEUI is a lan network only protocol and will provide all the connection/access/communication you need for file sharing and guarntee that pc2 wont go external(provided end user dosnt install and configure tcp/ip).


will read up at the site as well to verify but sounds rock solid at the moment


zf

This line bothers me a little  lol

"all different users could theoretically access an own mailbox from their PC"

not sure exactly what that means...........


zf
well the site was no help at all. so based solely on what I read in the doc. I agree, does not require tcp/ip to work,  requires network share and lan access only.  Remove tcp/ip from pc2 install netbeui on pc2 and pc1 install on pc1, share folder on pc1,(limit permissions as much as possiable to avoid mishaps) map share on pc2 create shortcut on the desktop your done.


zf
I think you are on the right track Zoofan - the comment above refers to separate "sub-accounts" and should not effect my main objective.  The Users on PC2 WILL NOT HAVE ADMIN RIGHTS.

On the website, look on the right sidebar menu for the SkyFile User Manual if necessary.  As for the PC1 connection to the satellite terminal, it must be a tcp/ip connection.
Can I have BOTH Netbeui and tcp/ip active on PC1? - greg
Agreed on pc1 required to have tcp/ip but it will need to have netBEUI as well to talk to pc2(was my reference)

got the links reading pdf's now.  (dont know what I was lookin gat the first time sheeshhh.)



zf


SOLUTION
Avatar of zoofan
zoofan
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Hello Samipk - thanks for your comments.  This also sounds very possible.  A tight lock on PC2 is an absolute MUST.  Mobile Satellite internet service is NOT cheap!!  and with 20+ crewmen onboard and away from home for several months at a time it is MUST be locked down.

Do any of these solutions conflict with anu other one?  If not I will use them all. - greg
No they wont conflict.

But I have a question.  If pc2 has no tcp/ip and users do not have admin rights to reinstall it, PC2 will only be permitted to connect to pc1 via netbeui. All apps on pc2 will have network communcation via netbeui which is non routable non iternetable non anything except lan broadcast messages.  So if pc2 does by some miracle gets external access it will have to be via pc1 in which case addding a firewall with a rule that allows all communication to pc1 is well, in a nutshell pointless is it not?

I will add though that sygate will allow you to configure an advanced rule based on application, protocol, user, time, data type, and port.  And if you want to take it to that you level you can.  But pc2 getting to the internet with only netbeui as its protocol can only happen if a user modifies the machine or pc1 gives it to it, either way the firewall can not and will not stop that.



zf



NetBEUI (NetBIOS Extended User Interface) is a new, extended version of NetBIOS, the program that lets computers communicate within a local area network.  NetBEUI (pronounced net-BOO-ee)formalizes the frame format (or arrangement of information in a datatransmission) that was not specified as part of NetBIOS. NetBEUI wasdeveloped by IBM for its LAN Manager product and has been adopted byMicrosoft for its Windows NT, LAN Manager, and Windows for Workgroupsproducts. Hewlett-Packard and DEC use it in comparable products.NetBEUI is the best performance choice for communication within asingle LAN. Because, like NetBIOS, it does not support the routing ofmessages to other networks, its interface must be adapted to otherprotocols such as Internetwork Packet Exchange or TCP/IP.A recommended method is to install both NetBEUI and TCP/IP in eachcomputer and set the server up to use NetBEUI for communication withinthe LAN and TCP/IP for communication beyond the LAN.



zf
NETBeui = no internet that is not supplied to it by pc1 no matter what


zf
Sorry thought I should clarify "sygate will allow you to configure an advanced rule" and  "either way the firewall can not and will not stop that"

You need an advanced rule that allows
by user:, the pc2 user
by protocol(netbeui is all there is)
by app: the app they must be able to use
by time whenever they need it
by port: one the the app they must use is able to tunnel thru
by data type: the data type required for the app they must use to work

So you have now created a rule that will not block internet access(which can not happen anyway)to pc2 from pc1


zf
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
If you or he has troubles, repost in this question and I will try to help anyway I can.


zf
Thank you very kind!!  There should be a small box above your post box(to the left) to raise points if desired.  Atleast there is in expert view not sure about professional view.

zf
Yes, I certainly didn't see it before so I have raised the points to 250
Thanks again
glad to help, if you have troubles implementing post back.


zf