CUSTOM FILTERING
Custom filtering allows you to define your own rules to deny or allow
traffic to hosts based on your own criteria. Filtering can be done for entire hosts,
specific websites, or even portions of websites.
Deny / Allow
When defining a new rule, you will always be asked if the rule is going to allow or deny
based on the criteria you provide. Allow rules are not used as frequently as deny rules
and are normally configured to allow a certain event that has been filtered by our
definitions.
Most users however, utilize deny rules to block access to Internet websites based on
company policy. Whether you want to allow or deny, you can do so for domains, IP
addresses, and URLs.
Domains
When defining domain rules, the domain specified as well as any sub-domains, regardless
of protocol, will be filtered. The following examples are provided to show the use of
domain rules.
Domain: myexampledomain.com
The entire domain and all sub-domains of myexampledomain.com will be filtered.
Domain: games.myexampledomain.com
The sub-domain of games.myexampledomain.com and all sub-domains of games.myexampledomain.com
will be filtered. However, myexampledomain.com or any other sub-domain that is not part of
games.myexampledomain.com will be allowed.
IP Addresses
When defining IP address rules, only HTTP traffic will be filtered. Packet inspection is done
using the HTTP protocol headers and not the TCP headers. What this means is if a domain resolves
to an IP address in which you have denied, it will not be filtered. This is because within the
HTTP protocol header the host flag would be defined as the domain itself, and not the IP address.
IP address rules will only filter HTTP requests destined for the IP address itself.
What this allows for is more accurate filtering. Most websites are hosted using virtual host
technology allowing companies to host multiple domains using a single IP address. Ordinarily,
if you were to filter an IP address, it would filter all traffic destined to that IP address
regardless of domain. With NullBound, you can filter an IP address without effecting any other
domains virtually hosted on that address.
The following examples are provided to show the use of IP address rules.
IP Address: 192.168.1.10
All HTTP requests, such as "http://192.168.1.10/", will be filtered.
If www.myexampledomain.com were to also resolve to 192.168.1.10, all HTTP requests such as
"http://www.myexampledomain.com" will still be accessible.
URLs
When defining URL rules, only HTTP traffic will be filtered. Like IP address rules, packet
inspection is done using the HTTP protocol headers and not the TCP headers. What this means
is if a domain resolves to an IP address in which you have denied, it will not be filtered.
This is because within the HTTP protocol header the host flag would be defined as the domain
itself, and not the IP address. Likewise, if an IP address resolves to a domain in which you
have denied, it will not be filtered.
An added feature to URL rules is the available use of wildcards. When defining a domain or
IP address, the "*" wildcard may be used to filter the following URL from any host. When
defining the URL, the "*" and "?" wildcards are available. The "*" wildcard will indicate
any amount of characters while the "?" will indicate only a single character.
The following examples are provided to show the use of URL rules. As you can see, the URL
rules are highly customizable and offer a lot of flexibility.
Domain or IP Address: myexampledomain.com
URL or String to Match: *
All HTTP requests, such as "http://myexampledomain.com/" or "http://www.myexampledomain.com",
will be filtered.
Domain or IP Address: games.myexampledomain.com
URL or String to Match: *
All HTTP requests, such as "http://games.myexampledomain.com/" or
"http://server.games.myexampledomain.com", will be filtered. All other sub-domains of
myexampledomain.com will be allowed, such as "http://www.myexampledomain.com".
Domain or IP Address: 192.168.1.10
URL or String to Match: *
All HTTP requests, such as "http://192.168.1.10/" will be filtered. Even
www.myexampledomain.com were to resolve to 192.168.1.10, an HTTP request to
"http://www.myexampledomain.com" would be allowed.
Domain or IP Address: *
URL or String to Match: test.exe
All HTTP requests going to any domain or IP address specifically for test.exe
will be filtered. "http://www.myexampledomain.com/test.exe" would be filtered,
however "http://www.myexampledomain.com/download/test.exe" would be allowed.
Domain or IP Address: *
URL or String to Match: *test.exe*
All HTTP requests with "test.exe" anywhere in the URL will be filtered.
Domain or IP Address: myexampledomain.com
URL or String to Match: */test?.exe
All HTTP requests to myexampledomain.com ending in /test?.exe will be filtered.
"http://www.myexampledomain.com/test1.exe" and
"http://www.myexampledomain.com/download/test5.exe" will be filtered.
"http://www.myexampledomain.com/test11.exe" or
"http://www.myexampledomain.com/download/test1.exe?start" will be allowed.
Manually Editing Rules
The option to manually edit custom filtering rules is available without having to
use the web interface. It is recommended that extreme caution is taken before
manually editing these files. Failure to properly make a rule could have devastating
effects on a network until disabled.
A good method for learning to properly write custom rules would be to create them
using the web interface, then review the files created to see how it should function.
The following four files are responsible for all custom filtering and are located
under /opt/definitions on the file system.
white_web.dat
Maintains the allow rules for IP addresses and URLs.
white_hosts.dat
Maintains the allow rules for domains.
black_web.dat
Maintains the deny rules for IP addresses and URLs.
black_hosts.dat
Maintains the deny rules for domains.
white_hosts.dat / black_hosts.dat
The white_hosts.dat and black_host.dat files contain the domain rules. Rules created
for both files are identical to one another. The file format is a two column row which
is tab delimited, the first column being the name of the rule, and the second column
being the rule itself. Because the file is tab delimited, there may not be any spaces
within the name or the rule. Shown below is an example format of these files.
Each domain rule must have a preceding "." and a trailing "|". Without these, a rule
will not function properly and will cause unwanted results.
MyExampleDomain.com |
.myexampledomain.com| |
MyExampleDomainTwo.com |
.myexampledomaintwo.com| |
MyExampleGames |
.games.myexampledomainthree.com| |
white_web.dat / black_web.dat
The white_web.dat and black_web.dat files contain the URL rules. Rules created for both
files are identical to one another. The file format is a three column row which is tab
delimited, the first column being the name of the rule, the second column being the host
the rule applies to, and the third being the string to match. Because the file is tab
delimited, there may not be any spaces within the name, host, or the rule. Shown below
is an example format of these files.
Each host, if it is a domain, must have a preceding "*." to indicate all sub-domains as
well. A trailing "|" indicates the explicit end of the URL and should always be used
unless there is a trailing "*".
MyExampleDomainEXE |
*.myexampledomain.com |
*.exe| |
PornURLs |
* |
*porn* |
192.168.20.100 |
192.168.20.100 |
* |
|
