The URL filter allows web traffic to be blocked based on category. This allows blocking or unsuitable content for business networks and preventing children from viewing age-inappropriate content.
Note - For the URL filter to work with https, the Advanced Web Proxy must be in Conventional Mode (non-transparent mode). If the Advance Web Proxy is setup in Transparent Mode, then URL filtering will not take place with https traffic.
To use the Filter it must be enabled in the Web Proxy configuration page. In the WebGUI, go to menu Network -> Web Proxy. Select the URL filter Enabled check box and click the appropriate Save at the bottom of the page.
In the WebGUI go to the menu Network -> URL Filter.
On top of the page you can see all the categories that can be blocked. Depending on the blacklist which has been downloaded (see below for detail on blacklists) you may have different categories than those in this example.
The Custom blacklists are optional. Click the Enable custom blacklist to block the manually entered domains and URLs.
Blocked domains (one per line). Input the domains you want to block.
example.com test.net subdomain.smallexample.com
Blocked URLs (one per line). Input the URLs you want to block.
The custom whitelists are optional. Click the Enable custom whitelist to allow the manually entered domains and URLs. This will override even if listed in another category.
Allowed domains (one per line). Input the domains you want to allow.
ipfire.org wiki.squid-cache.org bugzilla.netfilter.org
Allowed URLs (one per line). Input the URLs you want to allow.
The custom expressions list is optional. Enable this for the manually entered expressions.
Custom expression list (one per line). Block URLs if the manually entered expressions matches them.
FIXME - Does the "Custom expression list" also block phrases as stated on old URL Filter wiki page like teens, arms ?
Depends at http or http(s) URL
Test done by Firefox with Manual Proxy use port 800 activated
Clear TEXT in an http URL:
Custom Expression 123456 access denied
Custom Expression dummy (small letters) access denied
Custom Expression DUMMY (capital letters) access denied
Custom Expression 123456789 access denied
Clear TEXT in an http(s) URL:
Custom Expression 123456 access yes
Custom Expression dummy (small letters) access yes
Custom Expression DUMMY (capital letters) access yes
Custom Expression 123456789 access denied
Proxy recognize just domain, subdomains and the port 443 ex. subdomain.d, therefore URL Filter not really work for https URL .
In other words: URL Filter act for just the domain
Optionally you can block files by extension.
.bat .com .exe .sys .vbs
.aiff .avi .dif .divx .mov .movie .mp3 .mpeg .mpv2 .ogg .qt .wav .wma .wmf .wmv
.bin .bz2 .cab .cdr .dmg .gz .hqx .rar .sit .sea .tgz .zip
FIXME - This needs to be explained!
This option works just for http, not for http(s). Because using http(s) the Proxy don't see the whole URL, Proxy see just the domains and subdomains. Please look for further understanding of this, at the example of "Custom expression list" for http(s).
What is the idea of "Local file redirection":
Loading a web site means loading picture files etc., those can be saved locally at IPFire HDD as an cache, to load them later from local HDD at every time we visit that site.
Save picture files of sites you often visit to your PC first. Keep original file names.
You can choose the files to upload them to IPFire HDD and to manage them there.
Entered IP address(es) or network(s) will bypass all active filter rules. In the example below the two local clients,
192.168.40.200 and 192.168.40.201, are allowed to access the internet without any filtering.
Entered IP address(es) or network(s) will be forbidden, regardless of the active filter rules. In the example below the one local clients,
192.168.40.13 is banned access the internet:
You can input (one per line) one or more single host addresses(eg. 192.168.1.10), networks in CIDR notation (192.168.0.0/24), networks with a certain netmask(192.168.0.0/255.255.255.0), or a range of hosts (192.168.1.10-192.168.1.20)
Time constraints can be configured so that blacklisted categories are permitted at specific times of the day, or week.
FIXME - This section needs help!
If enabled, the blocked category will be shown in the block message. This can be a useful hint, if you are not sure which category is blocking your request.
If enabled, the blocked URL will be shown in the block message.
If enabled, the client IP address will be shown in the block message.
The default block message will be replaced by a “Server or DNS not found error” message.
You can define a custom website where clients will be redirected to if they are blocked.
Define text that will be used in message block (three lines).
Enable this to replace banners, pop-up windows and advertisements with a blank window. This will be done by redirecting to a 1 pixel sized .gif file. Requires the category “ads” or “adv” to be selected for blocking.
If enabled, all sites accessed by their IP address will be blocked. The same sites will be available if accessed by their domain name, and if not blocked by another rule.
Enable this to block all requests, except for those defined in the “Custom Whitelist”.
Write blocked sites to log.
Write usernames that triggered blacklist to logfile.
Only one type of category if be written in one log.
IP(s) or network(s) that are banned can browse sites defined in the Custom Whitelist.
Save - After making any changes, press the Save button to save them.
Save and Restart - Use the Save and Restart button to save and apply changes.
In this section you can define automatic download of URL filter blacklist, or even create your own blacklist, or load an existing blacklist and edit it.
Setup service and time interval for automatic download of blacklist. You can also manually download lists.
The only listed source is Univ. Toulouce. The Univ. Toulouce webpage includes a list of categories and a brief description.
Note - The company Shalla Secure Services (shallalist) has been closed and in consequence the blacklist service has been stopped. The MESD list is unreachable.
On bottom you can make backups/restore of your URL filter setup.