In our company we have around 100 workstations with Internet access, and the day-to-day situation is getting worse and worse from the perspective of using
Internet access for the purpose of doing private jobs, and wasting time on social sites.
Open hearted as I am I don't like blocking sites like Facebook, YouTube, and other similar sites but day by day my colleagues do not finish their tasks and any time I look at their monitors they are running Internet Explorer or Mozilla Firefox, chat and things like that.
On the other hand I would like to block YouTube when we have a very low Internet access speed.
Here are my questions:
- Do other companies block social sites?
- Do I need a dedicated device for that, like a hardware firewall or a super expensive router? Or can I do that with my existing FreeBSD 6.1 self-made router with two LAN cards and configured NAT to act like a router?
I was trying to do that using ipfw and routerfirewall but without success.
My code looks like:
ipfw add 25 deny tcp from 192.168.0.0/20 to www.facebook.com
ipfw add 25 deny udp from 192.168.0.0/20 to www.facebook.
ipfw add 25 deny tcp from 192.168.0.0/20 to www.dernek.
ipfw add 25 deny udp from 192.168.0.0/20 to www.dernek.
ipfw add 25 deny tcp from 192.168.0.0/20 to www.youtube.
ipfw add 25 deny udp from 192.168.0.0/20 to www.youtube.com
What can I do to fix this problem?
Best Answer
Yes, but that doesn't mean it is a good idea. The book Predictably Irrational has an interesting discussion and links to several studies that basically suggests that if you block minor personal usage, it can actually cost you in productivity. If people think their work place is friendly and home-like, they are more likely to work from home beyond their 40 hours.
If one individual is causing problems it may be better to work with the individual, then to use a technology solution to simply kill break things. Technology is not a replacement for a manager actually doing their job.
Most filters are easily bypassed, you really should try and avoid getting into an arms race with your coworkers. At some point you will just make your firewall so hostile they won't be able to get actual work done, and you still will probably have not blocked all the possible ways around the firewall.
You can install Squid+Squidguard and force all traffic through the proxy. You can setup ACLs to block sites you don't like.
I suggest you setup squid as a proxy, with no ACLs to block anything, and just watch the logs. Force everyone through the proxy (with notice). Then setup something like SARG to build reports. If someone is really having a problem having a good report will give the employee's supervisor the evidence the need to start addressing the problem.