These rules allow the administrator to limit access to Web pages with URLs that meet certain criteria. They include other functions, such as filtering of web pages by occurrence forbidden words, blocking of specific items (scripts, active objects, etc.) and antivirus switch for certain pages.
To define URL rules, go to the URL Rules tab in Configuration → Content Filtering → HTTP Policy.
Rules in this section are tested from the top of the list downwards (you can order the list entries using the arrow buttons at the right side of the dialog window). If a requested URL passes through all rules without any match, access to the site is allowed. All URLs are allowed by default (unless denied by a URL rule).
Note: URLs which do not match with any URL rule are available for any authenticated user (any traffic permitted by default). To allow accessing only a specific web page group and block access to other web pages, a rule denying access to any URL must be placed at the end of the rule list.
The following items (columns) can be available in the URL Rules tab:
Description — description of a particular rule (for reference only). You can use the checking box next to the description to enable/disable the rule (for example, for a certain time).
Action — action which will be performed if all conditions of the rule are met (Permit — access to the page will be allowed, Deny — connection to the page will be denied and denial information will be displayed, Drop — access will be denied and a blank page will be opened, Redirect — user will be redirected to the page specified in the rule).
Condition — condition which must be met to apply the rule (e.g. URL matches certain criteria, page is included in a particular category of the Kerio Web Filter database, etc.).
Properties — advanced options for the rule (e.g. anti-virus check, content filtering, etc.).
The following columns are hidden by default. To view them, use the Modify columns function in the context menu — for details, see chapter 3.2 Administration Console — view preferences.
IP Groups — IP group to which the rule is applied. The IP groups include addresses of clients (workstations of users who connect to the Internet through WinRoute).
Valid Time — time interval during which the rule is applied.
Users List — list of users and user groups to which the rule applies.
Note: The default WinRoute installation includes several predefined URL rules. These rules are disabled by default. These rules are available to the WinRoute administrators.
To create a new rule, select a rule after which the new rule will be added, and click
. You can later use the arrow buttons to reorder the rule list.Use the
button to open a dialog for creating a new rule.Open the General tab to set general rules and actions to be taken.
Description of the rule (information for the administrator).
Select which users this rule will be applied on:
any user — for all users (no authentication required).
selected user(s) — for selected users or/and user groups who have authenticated to the firewall.
Note:
It is often desired that the firewall requires user authentication before letting them open a web page. This can be set on the Authentication Options tab in Users (refer to chapter 15.1 Viewing and definitions of user accounts). Using the do not require authentication option, for example a rule allowing access to certain pages without authentication can be defined.
Unless authentication is required, the do not require authentication option is ineffective.
selected user(s) — applied on selected users or/and user groups.
Click on the Ctrl and the Shift keys to select more that one user /group at once).
button to select users or groups (hold theNote: In rules, username represents IP address of the host fro which the user is currently connected to the firewall (for details, see chapter 10.1 Firewall User Authentication).
Specification of URL (or URL group) on which this rule will be applied:
URL begins with — this item can include either entire URL
(i.e. www.kerio.com/index.html
) or only a substring of a URL using an asterisk (wildcard matching) to substitute any number of characters (i.e. *.kerio.com*
) Server names represent any URL at a corresponding server (www.kerio.com/*
).
is in URL group — selection of a URL group (refer to chapter 14.4 URL Groups) which the URL should match with
is rated by Kerio Web Filter rating system — the rule will be applied on all pages matched with a selected category by the Kerio Web Filter plug-in.
Click on the Kerio Web Filter categories. For details, refer to chapter 12.3 Content Rating System (Kerio Web Filter).
button to select fromis any URL where server is given as IP address — by enabling this option users will not be able to bypass URL based filters by connecting to Web sites by IP address rather than domain name. This trick is often used by servers offering illegal downloads.
If access to servers specified by IP addresses is not denied, users can bypass URL rules where servers are specified by names.
Selection of an action that will be taken whenever a user accesses a URL meeting a rule:
Allow access to the Web site
Deny access to the Web site — requested page will be blocked. The user will be informed that the access is denied or a blank page will be displayed (according to settings in the Advanced tab — see below).
Tick the Log option to log all pages meeting this rule in the Filter log (see chapter 22.9 Filter Log).
Go to the Advanced tab to define more conditions for the rule or/and to set options for denied pages.
Selection of the time interval during which the rule will be valid (apart from this interval the rule will be ignored). Use the 14.2 Time Intervals).
button to edit time intervals (for details see chapterSelection of IP address group on which the rule will be applied. Client (source) addresses are considered. Use the Any option to make the rule independent of clients.
Click on the 14.1 IP Address Groups).
button to edit IP groups (for details see chapter
The rule will be valid for a certain MIME type only (for example, text/html
— HTML documents, image/jpeg
— images in the JPEG format, etc.).
You can either select one of the predefined MIME types or define a new one. An asterisk substitutes any subtype (i.e. image/*
). An asterisk stands for any MIME type — the rule will be independent of the MIME type.
Advanced options for denied pages. Whenever a user attempts to open a page that is denied by the rule, WinRoute will display:
A page informing the user that access to the required page is denied as it is blocked by the firewall. This page can also include an explanation of the denial (the Denial text item).
The Users can Unlock this rule is enabled. Using this button users can force WinRoute to open the required page even though this site is denied by a URL rule. The rule will be opened for certain time (10 minutes by default). Each user can unlock a limited number of denied pages (up to 10 pages at once). All unlocked pages are logged in the Security log (see chapter 22.11 Security Log).
button will be displayed in the page informing about the denial if theRules can be unlocked only by users with corresponding rights (see chapter 15.1 Viewing and definitions of user accounts). This implies that unauthenticated (anonymous) users can never unlock rules.
Note:
If any modifications are done within URL rules, all unlock rules are removed immediately.
For security reasons, no HTML tags are allowed in the restriction text. If the plaintext format is not sufficient, it is recommended to use redirection to another page (see below).
A blank page — user will not be informed why access to the required page was denied.
Another page — user's browser will be redirected to the specified URL. This option can be helpful for example to define a custom page with a warning that access to the particular page is denied.
The Content Rules tab allows to set rules for filtering of certain web page elements. Parameters on this tab can be set only for rules allowing access (on the General tab, the Allow access to the web site option is checked).
In this section you can define advanced parameters for filtering of objects contained in web pages which meet the particular rule (for details refer to chapter 15.2 Local user accounts). Specific settings in URL rules beat user account settings.
Use this option to deny users to access Web pages containing words/strings defined on the Forbidden Words tab in the Configuration/Content Filtering → HTTP Policy.
For detailed information on forbidden words, see chapter 12.4 Web content filtering by word occurrence.
Antivirus check according to settings in the Configuration → Content Filtering → Antivirus section will be performed (see chapter 13.3 HTTP and FTP scanning) if this option is enabled.
Click on the button in the HTTP Policy tab to open a dialog where parameters for the HTTP inspection module can be set.
Use the Enable HTTP Log and Enable Web Log options to enable/disable logging of HTTP queries (opened web pages) to the HTTP log (see chapter 22.10 Http log) and to the Web log (refer to chapter 22.14 Web Log).
Log format can be chosen for the Enable HTTP Log item: Apache access log (http://www.apache.org/) or Squid proxy log (http://www.squid-cache.org/). This may be important especially when the log would be processed by a specific analysis tool.
Both HTTP and Web logs are enabled by default. The Apache option is selected by default for its better reference.
Use the Apply filtering rules also for local server to specify whether content filtering rules will be applied to local WWW servers which are available from the Internet (see chapter 7 Traffic Policy). This option is disabled by default — the protocol inspector only scans HTTP protocol syntax and performs logging of queries ( WWW pages) according to the settings.