How to block some websites in a small office?

  • I had a wireless connection in my office with one laptop. Now I bought two more laptops for my employees, and I give them Internet access. I want to block a few websites.

    My current connection is uses a basic modem-cum-wireless-router which doesn't have any web filtering feature. So I guess I need another piece of equipment.

    What kind of equipment do I need to do to filter the web traffic and block a few sites? How should I go about configuring it?

    Please read the FAQ. We don't allow shopping questions here, nor do we provide product recommendations.

    Edited as per @Polynomial's comment

    Are your employees techically-savvy? If they are, they will probably find a around your measures unless you spend some time on configuring a linux machine with very limited user options. Important notice: if there is only a set of specified websites your employees need to be able to access it would be better to only rely on whitelists of websites (ie. the user cannot reach anything not included in the list).

    Why? This sounds like a people problem -- if people aren't supposed to browse the internet at work, then make it clear upfront and treat your workers like adults. Blocking web traffic is just going to be a waste of your time, and their time too when a website your workers need is inevitably blocked by accident. Not to mention the effect on moral when workers can't do anything interesting on their breaks because you don't trust them.

  • I believe that you can do this with OpenDNS. You can probably learn enough of OpenDNS in a few minutes to do this, and as a side effect you'll significantly improve your overall security and quite possibly your reliability and speed. Alternatively, depending on the router you have, you could flash it with dd-wrt (or CeroWRT or tomato). This requires significantly more technical skill, but will result in a much more powerful tool. (and if your router doesn't support one of these, you can buy one that does for under $100).

    Of course so long as the employee's have administrative access to their laptops and either a modicum of technical skill or the ability to follow directions on the internet, they can defeat all these measures. Depending on how important it is to you that these sites be filtered, you need to detect violations as well as prevent them. Much of the ultimate answer depends on how much assurance you need.

  • As mentioned, technical savvy employees will find a way to bypass any of the suggested restrictions mentioned: hosts file could be changed or bypassed using web proxy or other solutions; DNS could be bypassed as well by using web proxies or by altering the DNS configurations (see Ozyman's scripts) and if you managed to limit those as well, portable version of TOR will probably bypass any other restriction you'll define.

    The best solution is education. Explain your rules and reasoning to your employees and monitor they use of web access to verify they apply to the rules you described. But be aware! There’s a fine line between being Big Brother and keeping employees from wasting too much time on the Internet.

    If you go with this option, note that rearranging the office to force your employees to sit with their monitors in your sight, might help as well.

    If you are thinking of logging your employees traffic, mind this:

    A tool like Net Spy Pro allows you to monitor employee Web usage from a single desktop. This particular tool even allows the administrator to view employee bookmarks and favorites. Although some think this a better approach than implementing policies and preventing access to certain (or all) Web sites, many people view this quite the opposite.


    This link also provides two other techniques of handling demands like your own, OpenDNS that was mentioned earlier:

    OpenDNS enables you to manage the Internet experience on your network with pre-defined category bundles, custom policies, whitelist-only mode and domain blacklist and whitelist. Create exceptions using time limited or persistent bypass codes or credentials.

    E.g. - enter image description here

    Depends on your needs - whether you want to limit your employees from accessing facebook, or visitng malware sites - other free DNS solution available. Such ones will be for example Comodo's Secure DNS or Google DNS, these two provide protection and not web filtering.

    Also, since some of OpenDNS features are for enterprise customers only, check with your ISP for content filtering, in some countries governments force ISP to provide this option (also [possible to set the limitation to specific hours)

    The other tool mentioned in the link is PacketFence which is...

    ...a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful guest management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.

    I don't have any past experience with this application so cannot testify for its quality, if you are looking for commercial alternative to Packet Fence try here.

  • You should get a wireless router with the ability to blacklist certain web pages. As I understand the question, you suggest to add another wireless router because you want to go to the blocked websites yourself, while your employees cannot. If you want your employees on such an isolated network, you connect both wireless routers to the modem directly. If that is not possible, connect the two routers by switch first, and then connect the switch to the modem.

    +1 on this. If you can afford two new laptops, you should be able to afford a router that supports such blocking. It's a standard feature of almost every home and corporate router these days.

    A free solution is to modify the `hosts` file on each laptop.

  • The simple way is to add sites that you want to block in the "hosts" file. You can find hosts file in Windows\System32\drivers\etc in windows

    Scroll to the end and add something like this:
 is the localhost. You can replace the localhost IP with any IP you want, for example

    PS : this is a simple method of blocking sites.

    This blocks requests generated by a web page, it doesn't block users from accessing sites (they can revert this modification or use a proxy that makes external DNS requests). Also, please write in English, with punctuation, *you*, etc.

    It is worth noting that this change is specific to the client connecting to the Internet, i.e. interfering with the employee's computers.

  • Open DNS is the best method as you can subscribe to certain categories and they'll sort out the filtering for you so you don't have to blacklist individual sites yourself (though you can do this too).

    It also gives you a bunch of statistics and it's free so even if you didn't need these features I'ld recommend using it.

  • Web Filtering is hard. I work for a large organisation that does this. The equipment we use is very specialised, very powerful, and very expensive.

    Your question is about how to block websites, and you've got some good answers about various ways of doing so: Modifying the hosts file, using custom DNS, and using a router with a web filtering feature.

    However, as already commented, it is not possible to prevent a technically capable employee from bypassing these measures without incurring significant costs - both in terms of how much money you'll need to spend to buy gear and expertise, and how much inconvenience and lost productivity you'll incur.

    I think it's also very important that you address the question of why you want to block websites, and see if there are non-tech solutions to the problem. If the issue is productivity, perhaps capital expenditure on better equipment or training is the answer. If the issue is people viewing inappropriate material, why not implement (and enforce!) a "professional behaviour" policy.

    You should always keep in mind the end goal, and remember that there can be technical and non-technical ways to accomplish it. Choose the best option for your business.

  • The simple way is to modify hosts file: /etc/hosts

    Other way, I used a pretty Python Package. helps you keep focused by applying schedulable firewall rules to distracting websites.

    The first line is redundant with the answer given by lon3r. The second line is interesting, but needs a bit more explanation - I'll edit to add at least a one liner from the site, but it would help to know _why_ you found this the best option.

  • Using Software on the Computer of your employees to block websites isn't really good:

    1. DNS and hosts-files work like phonebooks as mentioned above. Even if you erase a name in a phonebook the numbers exist. So your employees only have to write the IP-adress of a desired server in the adressbar of their browser to access the websites. Search for IP Servername and you get it.
    2. With Live-CDs your employees can access the filesystem of your computers with adminstrator privileges. So they are free to reconfigure your security settings and can do what they want.

    Solution: Only Hardware not touchable by your employees can really block forbidden websites. For example behind a locked door!

    Your InternetServiceProvider<-->Modem<-->(Router)<--->HardwareFirewall<-->Router<-->Computer

    HardwareFirewall could be a mixture of port filter with black- or whitelist and Application Level Gateways. There are a lot of routers with firewalls onboard. I think this is the best choice for you. And don't forget to let the modem, router and firewall stay behind a locked door!

    some good thought in this question, but I think you're making too many assumptions about the goal. Is the OP trying to discourage time-wasters, or to demonstrate some attempt at compliance, or to do something really serious? Are the employees in question sophisticated enough to do live-cd? I think the answer would be better if it involved fewer assumptions and fewer judgemntalisms (e.g. "not good"). Excellent answers should serve as a reference for all SE future visitors.

    And if the users are running with Admin permissions (needed to reconfigure firewalls), then nothing else you do really makes a difference.

    With Admin permissions you can reconfigure the firewall on the computer you have the permission to. But on a router or hardware firewall you only have the webinterace, if you can't press the hardware reset button. The interface can be secured by a strong password and by selecting a port I can only access with the admins IP/Mac-Address for example.

    I don't have jugded anyone. Its you who has these thoughts. ;-)

    And sorry, in my opinion the expression: Use OpenDNS and you're secure is a little bit naive.

    @Kasma: Take the best of all answers and take my thoughts about DNS and hosts-file into consideration. Only you know your employees. I think a router like Henning Klevjer said would best fit your task.

    re-reading that, my comment came off harsher than I intended; I didn't mean that to be personal, and SE doesn't give me the chance to edit that. That said, answers that include 'doing x is not good' are built on assumptions about what is appropriate to the situation. "good/not good" is a simple black/white standard; as the FAQ says, "Security is a very contextual topic" - I believe the best answers provide the opportunity to interpret in multiple contexts.

    @Mark You're right with the black and white thing. Peace! An example: At home I have a router which blocks some sites for my children. Because I know my family would never ever lay hands on him, I put him into a cupboard. At work, where I'm responsible for th integrity of data (digital contracts, bills and so on), I won't do this.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM