Recently encountered a customer has a demand, restricting internal users can only access certain websites on the internet, others do not. Want to have no difficulty, inter-domain policy to release the DNS address and website address, test, OK no problem. After a few days, the customer said that the website can not open, no one moved the equipment, it is strange, to the scene login device view, configuration does not change, ping the site address, is through, the inter-domain policy is closed, set to all release, on the pass, the normal access to the site. It seems that there is a problem between the inter-domain policy, testing the site again, found that the IP changed. This is more troublesome, the site's IP will change. IP will change, but the domain name will not change, so through the domain name to do the control can avoid this problem, in the writing domain name should pay attention to, for example, to release Baidu, can write baidu.com, do not add www, otherwise Baidu's other applications will not open. Well, this solves the problem of domain name IP change. But after a few days, you can add a new site, continue to follow the previous operation, found that the Web page is not open, or continue to open the inter-domain policy, you can access. It seems to be the destination address of the inter-domain policy. Here is a key point, and now a lot of sites are no longer purely their own production of all the content, will be called from other places, so you open a Web page, actually this page will tell you from which IP to download something. Understand the above situation, then the next is to find out which IP to be released, here to pay attention to, it is really a Web site for Internet users to provide servers, Web content is very rich, will call the external IP may be many, so to find these IP, very troublesome, here or for some internal OA, office a kind of website, Simple content, user-specificity. Open the inter-domain policy can be accessed, and then within the firewall to find the list of sessions based on the source IP, there must be a lot of session list, according to the time of the TCP session, to find and domain name IP together with the IP address of the connection initiated, and then test and troubleshooting. Although the trouble point, finally can test out the specific IP. The above is actually a stupid way, if the application of special control equipment, can identify the application, the site will be much simpler.
Firewall restricts access to specific Web site cases