URL filter

The URL filter allows web traffic to be blocked based on category. This allows blocking or unsuitable content for business networks and preventing children from viewing age-inappropriate content.

Note - For the URL filter to work with https, the Advanced Web Proxy must be in Conventional Mode (non-transparent mode). If the Advance Web Proxy is setup in Transparent Mode, then URL filtering will not take place with https traffic.

Enable the URL Filter

To use the Filter it must be enabled in the Web Proxy configuration page. In the WebGUI, go to menu Network -> Web Proxy. Select the URL filter Enabled check box and click the appropriate Save at the bottom of the page.

Configure the URL Filter

In the WebGUI go to the menu Network -> URL Filter.

Block categories

On top of the page you can see all the categories that can be blocked. Depending on the blacklist which has been downloaded (see below for detail on blacklists) you may have different categories than those in this example.

Custom blacklists

The Custom blacklists are optional. Click the Enable custom blacklist to block the manually entered domains and URLs.

Blocked domains (left side)

Blocked domains (one per line). Input the domains you want to block.
Example:

example.com
test.net
subdomain.smallexample.com

Blocked URLs (right side)

Blocked URLs (one per line). Input the URLs you want to block.
Example:

example.com/ads
test.net/junk

Custom whitelist

The custom whitelists are optional. Click the Enable custom whitelist to allow the manually entered domains and URLs. This will override even if listed in another category.

Allowed domains (left side)

Allowed domains (one per line). Input the domains you want to allow.

ipfire.org
wiki.squid-cache.org
bugzilla.netfilter.org

Allowed URLs (right side)

Allowed URLs (one per line). Input the URLs you want to allow.

wiki.squid-cache.org/SquidFaq/FaqIndex
squid-cache.org/Doc/

Custom expression list

The custom expressions list is optional. Enable this for the manually entered expressions.

Custom expression list (one per line). Block URLs if the manually entered expressions matches them.

Depends at http or http(s) URL
Test done by Firefox with Manual Proxy use port 800 activated

Clear TEXT in an http URL:
http://admin:123456789@192.168.0.100/cgi-bin/encoder?USER=Admin&PWD=123456&SNAPSHOT=N640x480,100&DUMMY=n

Custom Expression 123456 access denied
Custom Expression dummy (small letters) access denied
Custom Expression DUMMY (capital letters) access denied
Custom Expression 123456789 access denied

Clear TEXT in an http(s) URL:

https://admin:123456789@192.168.0.100/cgi-bin/encoder?USER=Admin&PWD=123456&SNAPSHOT=N640x480,100&DUMMY=n

Custom Expression 123456 access yes
Custom Expression dummy (small letters) access yes
Custom Expression DUMMY (capital letters) access yes
Custom Expression 123456789 access denied

Example for an access denied at mach

Proxy recognize just domain, subdomains and the port 443 ex. subdomain.d, therefore URL Filter not really work for https URL .
In other words: URL Filter act for just the domain
admin:123456789@192.168.0.100:443

Example for a https URL recognized by Proxy:

File extension blocking

Optionally you can block files by extension.

• Block executable files - Enable this to block the download of executable files.
  • For example: .bat .com .exe .sys .vbs
• Block audio/video files - Enable this to block the download of audio and video related files.
  • For example: .aiff .avi .dif .divx .mov .movie .mp3 .mpeg .mpv2 .ogg .qt .wav .wma .wmf .wmv
• Block compressed archive files - Enable this to block the download of compressed archives containing other files.
  • For example: .bin .bz2 .cab .cdr .dmg .gz .hqx .rar .sit .sea .tgz .zip

Local file redirection

FIXME - This needs to be explained!
This option works just for http, not for http(s). Because using http(s) the Proxy don't see the whole URL, Proxy see just the domains and subdomains. Please look for further understanding of this, at the example of "Custom expression list" for http(s).
What is the idea of "Local file redirection":
Loading a web site means loading picture files etc., those can be saved locally at IPFire HDD as an cache, to load them later from local HDD at every time we visit that site.

Network based access control

Unfiltered IP addresses (left side)

Entered IP address(es) or network(s) will bypass all active filter rules. In the example below the two local clients, 192.168.40.200 and 192.168.40.201, are allowed to access the internet without any filtering.

Banned IP Addresses (right side)

Entered IP address(es) or network(s) will be forbidden, regardless of the active filter rules. In the example below the one local clients, 192.168.40.13 is banned access the internet:

You can input (one per line) one or more single host addresses(eg. 192.168.1.10), networks in CIDR notation (192.168.0.0/24), networks with a certain netmask(192.168.0.0/255.255.255.0), or a range of hosts (192.168.1.10-192.168.1.20)

Time based access control

Time constraints can be configured so that blacklisted categories are permitted at specific times of the day, or week.

FIXME - This section needs help!

Block page settings

Redirect page template

Legacy only??

Show category on block page

If enabled, the blocked category will be shown in the block message. This can be a useful hint, if you are not sure which category is blocking your request.

Show URL on block page

If enabled, the blocked URL will be shown in the block message.

Show IP on block page

If enabled, the client IP address will be shown in the block message.

Use "DNS error" to block URLs

The default block message will be replaced by a “Server or DNS not found error” message.

Redirect to this URL

You can define a custom website where clients will be redirected to if they are blocked.

Message line 1 & 2 & 3

Define text that will be used in message block (three lines).

Advanced settings

Enable expression lists

Block "ads" with empty window.

Enable this to replace banners, pop-up windows and advertisements with a blank window. This will be done by redirecting to a 1 pixel sized .gif file. Requires the category “ads” or “adv” to be selected for blocking.

Block sites accessed by their IP Address

If enabled, all sites accessed by their IP address will be blocked. The same sites will be available if accessed by their domain name, and if not blocked by another rule.

Block all URLs not explicitly allowed

Enable this to block all requests, except for those defined in the “Custom Whitelist”.

Enable log

Write blocked sites to log.

Log username

Write usernames that triggered blacklist to logfile.

Split log by categories

Only one type of category if be written in one log.

Allow custom whitelist for banned clients

IP(s) or network(s) that are banned can browse sites defined in the Custom Whitelist.

Save(s)

Save - After making any changes, press the Save button to save them.
Save and Restart - Use the Save and Restart button to save and apply changes.

URL filter maintenance

In this section you can define automatic download of URL filter blacklist, or even create your own blacklist, or load an existing blacklist and edit it.

Blacklist update

TBD
FIXME

Automatic blacklist update

Setup service and time interval for automatic download of blacklist. You can also manually download lists.

The only listed source is Univ. Toulouse. The Univ. Toulouse webpage includes a list of categories and a brief description.

If the UT website is not reachable you could use this alternative link to review categories:

Collection of websites blacklists managed by the Université Toulouse Capitole

Note - The company Shalla Secure Services (shallalist) has been closed and in consequence the blacklist service has been stopped. The MESD list is unreachable.

Blacklist editor

TBD

Backup URL filter settings

TBD

Restore URL filter settings

TBD
On bottom you can make backups/restore of your URL filter setup.