12.2  URL Rules

These rules allow the administrator to limit access to Web pages with URLs that meet certain criteria. They include other functions, such as filtering of web pages by occurrence forbidden words, blocking of specific items (scripts, active objects, etc.) and antivirus switch for certain pages.

To define URL rules, go to the URL Rules tab in Configuration → Content Filtering → HTTP Policy.

URL Rules

Figure 12.1. URL Rules


Rules in this section are tested from the top of the list downwards (you can order the list entries using the arrow buttons at the right side of the dialog window). If a requested URL passes through all rules without any match, access to the site is allowed. All URLs are allowed by default (unless denied by a URL rule).

Note: URLs which do not match with any URL rule are available for any authenticated user (any traffic permitted by default). To allow accessing only a specific web page group and block access to other web pages, a rule denying access to any URL must be placed at the end of the rule list.

The following items (columns) can be available in the URL Rules tab:

The following columns are hidden by default. To view them, use the Modify columns function in the context menu — for details, see chapter 3.2  View Settings.

Note: The default WinRoute installation includes several predefined URL rules. These rules are disabled by default. These rules are available to the WinRoute administrators.

URL Rules Definition

To create a new rule, select a rule after which the new rule will be added, and click Add. You can later use the arrow buttons to reorder the rule list.

Use the Add button to open a dialog for creating a new rule.

URL Rule — basic parameters

Figure 12.2. URL Rule — basic parameters


Open the General tab to set general rules and actions to be taken.

Description

Description of the rule (information for the administrator).

If user accessing the URL is

Select which users this rule will be applied on:

  • any user — for all users (no authentication required).

    selected user(s) — for selected users or/and user groups who have authenticated to the firewall.

    Note:

    1. It is often desired that the firewall requires user authentication before letting them open a web page. This can be set on the Authentication Options tab in Users (refer to chapter 15.1  Viewing and definitions of user accounts). Using the do not require authentication option, for example a rule allowing access to certain pages without authentication can be defined.

    2. Unless authentication is required, the do not require authentication option is ineffective.

  • selected user(s) — applied on selected users or/and user groups.

    Click on the Set button to select users or groups (hold the Ctrl and the Shift keys to select more that one user /group at once).

    Note: In rules, username represents IP address of the host fro which the user is currently connected to the firewall (for details, see chapter 10.1  Firewall User Authentication).

And URL matches criteria

Specification of URL (or URL group) on which this rule will be applied:

  • URL begins with — this item can include either entire URL

    (i.e. www.kerio.com/index.html) or only a substring of a URL using an asterisk (wildcard matching) to substitute any number of characters (i.e. *.kerio.com*) Server names represent any URL at a corresponding server (www.kerio.com/*).

  • is in URL group — selection of a URL group (refer to chapter 14.4  URL Groups) which the URL should match with

  • is rated by ISS OrangeWeb Filter rating system — the rule will be applied on all pages matched with a selected category by the ISS OrangeWeb Filter plug-in (see chapter 12.4  Content Rating System (ISS OrangeWeb Filter)).

    Click on the Select Rating... button to select from ISS OrangeWeb Filter categories. For details, refer to chapter 12.4  Content Rating System (ISS OrangeWeb Filter).

  • is any URL where server is given as IP address — by enabling this option users will not be able to bypass URL based filters by connecting to Web sites by IP address rather than domain name. This trick is often used by servers offering illegal downloads.

    Warning

    If access to servers specified by IP addresses is not denied, users can bypass URL rules where servers are specified by names.

Action

Selection of an action that will be taken whenever a user accesses a URL meeting a rule:

  • Allow access to the Web site

  • Deny access to the Web site — requested page will be blocked. The user will be informed that the access is denied or a blank page will be displayed (according to settings in the Advanced tab — see below).

Tick the Log option to log all pages meeting this rule in the Filter log (see chapter 22.9  Filter Log).

Go to the Advanced tab to define more conditions for the rule or/and to set options for denied pages.

URL Rule — advanced parameters

Figure 12.3. URL Rule — advanced parameters


Valid at time interval

Selection of the time interval during which the rule will be valid (apart from this interval the rule will be ignored). Use the Edit button to edit time intervals (for details see chapter 14.2  Time Intervals).

Valid for IP address group

Selection of IP address group on which the rule will be applied. Client (source) addresses are considered. Use the Any option to make the rule independent of clients.

Click on the Edit button to edit IP groups (for details see chapter 14.1  IP Address Groups).

Valid if MIME type is

The rule will be valid for a certain MIME type only (for example, text/html — HTML documents, image/jpeg — images in the JPEG format, etc.).

You can either select one of the predefined MIME types or define a new one. An asterisk substitutes any subtype (i.e. image/*). An asterisk stands for any MIME type — the rule will be independent of the MIME type.

Denial options

Advanced options for denied pages. Whenever a user attempts to open a page that is denied by the rule, WinRoute will display:

  • A page informing the user that access to the required page is denied as it is blocked by the firewall. This page can also include an explanation of the denial (the Denial text item).

    The Unlock button will be displayed in the page informing about the denial if the Users can Unlock this rule is enabled. Using this button users can force WinRoute to open the required page even though this site is denied by a URL rule. The rule will be opened for certain time (10 minutes by default). Each user can unlock a limited number of denied pages (up to 10 pages at once). All unlocked pages are logged in the Security log (see chapter 22.11  Security Log).

    Rules can be unlocked only by users with corresponding rights (see chapter 15.1  Viewing and definitions of user accounts). This implies that unauthenticated (anonymous) users can never unlock rules.

    Note:

    1. If any modifications are done within URL rules, all unlock rules are removed immediately.

    2. For security reasons, no HTML tags are allowed in the restriction text. If the plaintext format is not sufficient, it is recommended to use redirection to another page (see below).

  • A blank page — user will not be informed why access to the required page was denied.

  • Another page — user's browser will be redirected to the specified URL. This option can be helpful for example to define a custom page with a warning that access to the particular page is denied.

Open the Content Rules tab (in the HTTP Rules section) to specify details for content filter rules. Parameters on this tab can be modified only for rules where the Allow access to the Web site option is enabled.

Options for Websites with content meeting a URL rule

Figure 12.4. Options for Websites with content meeting a URL rule


WWW content scanning options

In this section you can define advanced parameters for filtering of objects contained in Web pages which meet the particular rule (for details refer to chapter 12.3  Global rules for Web elements). Specific URL settings have higher priority than user settings (see chapter 15.1  Viewing and definitions of user accounts) and global rules for unauthorized users (refer to chapter 12.3  Global rules for Web elements).

One of the following alternatives can be set for each object type:

  • Allow — these objects will be displayed.

  • Deny — these objects will be filtered out of the page

  • Default — global rules or custom rules of a particular user will be applied to such objects (this implies that this rule will not affect filtering of such objects)

Deny Web pages containing ...

Use this option to deny users to access Web pages containing words/strings defined on the Forbidden Words tab in the Configuration/Content Filtering → HTTP Policy.

For detailed information on forbidden words, see chapter 12.5  Web content filtering by word occurrence.

Scan content for viruses according to scanning rules

Antivirus check according to settings in the Configuration → Content Filtering → Antivirus section will be performed (see chapter 13.3  HTTP and FTP scanning) if this option is enabled.

HTTP Inspection Advanced Options

Click on the Advanced button in the HTTP Policy tab to open a dialog where parameters for the HTTP inspection module can be set.

HTTP protocol inspector settings

Figure 12.5. HTTP protocol inspector settings


Use the Enable HTTP Log and Enable Web Log options to enable/disable logging of HTTP queries (opened web pages) to the HTTP log (see chapter 22.10  Http log) and to the Web log (refer to chapter 22.14  Web Log).

Log format can be chosen for the Enable HTTP Log item: Apache access log (http://www.apache.org/) or Squid proxy log (http://www.squid-cache.org/). This may be important especially when the log would be processed by a specific analysis tool.

Both HTTP and Web logs are enabled by default. The Apache option is selected by default for its better reference.

Use the Apply filtering rules also for local server to specify whether content filtering rules will be applied to local WWW servers which are available from the Internet (see chapter 7  Traffic Policy). This option is disabled by default — the protocol inspector only scans HTTP protocol syntax and performs logging of queries ( WWW pages) according to the settings.