Welcome, Guest. Please login or register.
Did you miss your activation email?
Sunday 22 December 2024, 11:20:15 pm

Login with username, password and session length

Visit the Official Endian Reference Manual  HERE
14262 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  EFW SMTP, HTTP, SIP, FTP Proxy Support
| | |-+  [proxy]How to block all URLs except the ones i specify?
0 Members and 2 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: [proxy]How to block all URLs except the ones i specify?  (Read 34807 times)
gunemalli
Jr. Member
*
Offline Offline

Posts: 3


« on: Monday 07 September 2009, 05:31:46 pm »

Hi all,

This is my first post here.

I run EFW on a small company. I want to block all outgoing URL's except to the company's website and their webmail service. I.e the following urls must be allowed and everything else must be blocked.

samanala.net, chameleonlk.com and mail.google.com/a/samanala.net

How can i do it?

PS: also for 2 machines this rule should be ignored.

Thanks & regards,

Gayan
Logged
haiau
Full Member
***
Offline Offline

Gender: Male
Posts: 22


Hải Âu


WWW
« Reply #1 on: Tuesday 08 September 2009, 11:40:43 am »

I'm Vietnamese, first sorry for my bad english.

1. You use "Squid Custom ACLs" - http://alumnus.caltech.edu/~igormt/endian/extras.html
    and more http://efwsupport.com/index.php?topic=428.0

2. Custom ACL's:
        #--- Def Services Your Custom ---
          acl services_custom_only url_regex "/var/efw/proxy/acls/services_custom_only.acl"
       
        #--- Def Users App (Change Your IP)---
          acl users_apply src 192.168.1.0/24
          acl users_apply src 172.16.0.1-172.16.0.100

3. Custom Rules:
        #--- Set Services Your Custom ---
           deny_info ERR_SERVICES_CUSTOM_ONLY services_custom_only
           http_access deny users_apply !services_custom_only

PS:
1. New file edit by Notepad and Save as: services_custom_only.acl
# ---  Content your custom defined  here ---

sama.net
chameleonlk.com
mail.google.com/a/sama.net

# ---  End Content your custom defined ---

2. deny_info ERR_SERVICES_CUSTOM_ONLY services_custom_only: Your defined Error page more info squid error pages? Check /usr/share/squid/errors/English/ http://efwsupport.com/index.php?topic=553.0

3. If you access all gmail, you can set:
# ---  Content your custom defined  here ---

sama.net
chameleonlk.com
mail.google.com/a/sama.net
gmail.com
gmail.google.com
mail.google.com

# ---  End Content your custom defined ---


### Luck for you ###
Logged

ICT - HPU Network Administrator
The new adherents of the Linux.
We learn Endian Firewall, need solutions form Endian Hotspot to support education.
gunemalli
Jr. Member
*
Offline Offline

Posts: 3


« Reply #2 on: Tuesday 08 September 2009, 06:01:24 pm »

Hello,

Thanks very much for the help. It solved my main issue. But now everyone inside the firewall is restricted to the above mentioned sites only.

I want to have 2 IPs or MACs to have unrestricted access to the internet.

Now how can i do that?
Logged
haiau
Full Member
***
Offline Offline

Gender: Male
Posts: 22


Hải Âu


WWW
« Reply #3 on: Tuesday 08 September 2009, 06:09:30 pm »

Hello,


I want to have 2 IPs or MACs to have unrestricted access to the internet.

Now how can i do that?

if you want to have a few ip addresses that no law shall apply to remove that address from the list applies.

#--- Def Users App (Change Your IP)---
          acl users_apply src 172.16.0.1-172.16.0.100 (not put that ip in this range.)
Logged

ICT - HPU Network Administrator
The new adherents of the Linux.
We learn Endian Firewall, need solutions form Endian Hotspot to support education.
gunemalli
Jr. Member
*
Offline Offline

Posts: 3


« Reply #4 on: Wednesday 09 September 2009, 02:12:46 am »

Thanks for your great support.

The problem that i have in this regard is that except the AD server, all the clients are on DHCP. So for now what i have done is:

#--- Def Users App (Change Your IP)---
acl users_apply arp MAC1
acl users_apply arp MAC2
...

to the pc's i want the acl to be applied. but anyways i'll try something like using statics for the other pc too and then use a range.

Thanks for the suggestion.

Oh BTW, your English is much better than many Wink
I can easily understand what you mean.
Logged
haiau
Full Member
***
Offline Offline

Gender: Male
Posts: 22


Hải Âu


WWW
« Reply #5 on: Wednesday 09 September 2009, 10:38:13 am »

Thanks for your great support.

The problem that i have in this regard is that except the AD server, all the clients are on DHCP. So for now what i have done is:


To se the MAC, you can refer to here: http://forums.opensuse.org/archives/sf-archives/archives-network-internet/341762-transparent-proxy-squid-2-6-suse-10-3-a.html

Alternative 1

Custom ACL's:
...
# --- MAC address list does not apply to law ---
    acl mac_accept arp "/var/efw/proxy/acls/mac_exclusion.acl"

Custom Rules:
...
# --- Block all MAC addresses not declared in mac_exclusion.acl use other services ...
# --- Service was declared in services_custom_only.acl ---
    http_access deny !mac_accept !services_custom_only

PS:
     To create mac_exclusion.acl like creating files services_custom_only.acl

# ---  MAC address list ---
00:11:25:e8:3e:b4
00:1c:b1:33:7e:40
# ---  End MAC address list ---

Alternative 2
   
Using a fixed address allocated by DHCP server.

1. You can specify a DHCP server lease fixed range of addresses from 172.16.0.1 to 172.16.0.9 for the users that you do not want to apply the law.

2. Please allocate addresses in range 172.16.0.10 to 172.16.0.254 for the user you want to apply the law.
Logged

ICT - HPU Network Administrator
The new adherents of the Linux.
We learn Endian Firewall, need solutions form Endian Hotspot to support education.
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.094 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com