guard - Manage the URL guarding (filtering)
[1] guard [filter [ip [add <filter-name> (range <ip1> [<ip2>] | network <ip> [<network-mask>]) | del <filter-name> | raz]]]
[2] guard [filter [time [add <filter-name> (slot <[w-]hh:mm-hh:mm> | frame <yyyy/mm/dd-yyyy/mm/dd> | date <[yyyy]/[mm]/[dd][-hh:mm-hh:mm]>) | del <filter-name> | raz]]]
[3] guard [filter [ldap [add <filter-name> ’<base-dn>’ <login-attr> ’<ldap-filter>’ | del <filter-name> | raz]]]
[4] guard [policy [add <policy-name> ((ip | time | ldap) <filter-name>)* | del <policy-name> | raz]]
[5] guard [rule [(add | update | add:<policy-name> | insert:<policy-name>) (<policy-name> | default) (deny | allow) (<urllist-name>)+ | del (<policy-name> | default) | raz]]
[6] guard [rule [move:(-|+)<policy-name> <policy-name> | move:<position>]]
[7] guard [ip [(on | off)]]
The URL guarding (or filtering) allows you to have control over the Web browsing in your organisation. Two guarding methods are available: the blacklist guarding and the white list guarding. Guarding with blacklists denies access to predefined URL lists, allowing access to all other URLs. Guarding with white lists permits access to predefined URL lists only, blocking all other URLs.
The URL Filtering can be based on the source IP address, the access time and an LDAP request. To define a guard rule you need to create policies and filters first. A policy is the combination of several filters. A guard rule defines who (policies) can access what (URL lists).
To define a filter based on source IP addresses of users use the keywords filter ip add followed by a filter name the keywords range or network and an IP specification. An IP range is defined by giving two IP addresses. So all IP addresses between the first and second IP addresses will match the defined filter. If the second IP address is omitted the filter will match the unique given IP address. A network is defined by giving a network IP and a network mask. If no network mask is given the value 255.255.255.0 will be used.
To define a filter based on access time use the keywords filter time add followed by a filter name. Three types of access times are available: slot, frame and date. Using the keyword slot allows you to define a time slot. A time slot has the format [w-]hh:mm-hh:mm where w is an optional digit between 0 and 6 representing the day of the week (0 is Sunday and 6 is Saturday) and hh:mm-hh:mm represents a time slot between the first hh:mm and second hh:mm (hh is a number between 00 and 23 representing hours while hh is a number beween 00 and 59 representing minutes). Using the frame keyword allows you to define a date frame. A date frame has the format yyyy/mm/dd-yyyy/mm/dd where yyyy, mm and dd are numbers representing respectively the year (2000-2999), the month (01-12) and the day (01-31). Using the date keyword allows you to define special days. A date has the format yyyy/mm/dd[-hh:mm-hh:mm] where yyyy, mm and dd are numbers representing respectively the year (2000-2999), the month (01-12) and the day (01-31). If one of these numbers is omitted it will represent any value. For instance the date represented by "//01" represents the first day of every month. If the optional time slot part [-hh:mm-hh:mm] is given, the filter will define a time at the given date and time slot.
An LDAP filter allows you to define guarding policies where users access are granted if an LDAP request returns a value. This type of filter is only applicable if the authentication mode is activated and configured adequately (see the command authenticate). To define a filter based on an LDAP request use the keyword filter ldap add followed by a filter name, the LDAP distinguished name of the target LDAP object, the LDAP attribute used to login users and an LDAP filter applied to returned objects. The LDAP server and bind configuration (if required) should be configured using the authenticate command. Because LDAP distinguished names and filters contains the character ’=’, they must be enclosed in (simple or double) quotation marks to avoid being interpreted by the shell.
A filter can be deleted using the keyword del followed by the filter name. Using the keyword raz allows you to erase all filters in a filter type (ip time ldap) list.
Once all required filters are defined you can combine them to create policies. An OR operad is applied to filters of the same type while an AND operand is applied to filters of different types. To create a policy use the keywords policy add followed by a policy name and a list of filters where each filter is represented by a filter type (ip time ldap) followed by a filter name. A policy can be deleted using the keyword del followed by the policy name. Using the keyword raz allows you to erase all policies. Note that deleting a filter removes that filter from the policies that use it. The system contains a default policy named default which contains no filters. Use this policy to define a default rule. A default rule is applied to users not caught by defined policies. If no default rule is defined, the default behaviour is to deny all accesses to all URLs.
Filter and policy names must begin with an alpha character and may contains alpha numeric characters as well as the characters "_", "-" and ".".
Finally you can define a guarding rule based on policies (who) and URL lists (what). To add a rule at the end of all rules use the keywords rule add followed by a policy name, the keyword allow or deny (depending on whether you want to create a blacklist guard or a white list guard) and a list of URL list name separated by a blank. A rule can be deleted using the keyword del followed by the associated policy name. Using the keyword raz allows you to erase all rules.
Please note that the order of guard rules is important as the system matches the first matching rule to allow or deny a URL for a client. To add a rule after a given rule, use the keyword add: followed by the rule name after which the new rule have to be inserted. To insert a rule before a given rule, use the keyword insert: followed by the rule name before which the new rule have to be inserted. Finally the keyword update allows you to modify a rule without changing its place in the rule list.
As an example completing the following commands allows you to define a policy applied to users with an IP address ranging from 172.18.2.10 to 172.18.2.100 who use the Web between 8:00AM and 5:00PM and belong the LDAP group "cn=worker,ou=groups,dc=example,dc=com". A guard URL list named WebMail is created to group sites that offer web-based email service. Then the defined policy is used to create a rule to deny the access to WebMail sites for those users.
guard filter add ip myNetwork range 172.18.2.10 172.18.2.100
guard filter add time myHours slot 08:00-17:00
guard filter add ldap myRequest ’cn=worker,ou=groups,dc=example,dc=com’ memberUid ’objectclass=posixGroup’
guard policy add myPolicy ip myNetwork time myHours ldap myRequest
urllist add WebMail
urllist load create WebMail ftp ftp.cacheguard.net BL/WebMail
guard rule add myPolicy deny WebMail
apply
Note that in this example the ftp server "ftp.cacheguard.net" should have been defined as a trusted file server previously with the commandaccess. Also that FTP server requires login/passowrd credentials that should be configured using the command password.
The sixth usage form allows you to move a guard rule from one position to another in the list of guard rules. To move a rule before or after another denoted rule use the keyword move: followed by the sign - (for before) or + (for after), the rule name of the denoted rule and the rule name of the rule to move. Please note that white spaces are not allowed between the keyword move:, the signs - or + and the rule name of the denoted rule. To move a rule to an absolute position use the move: followed by the position number and the rule name of the rule to move (the first position is the position number 1). Please note that white spaces are not allowed between the keyword move: and the position number.
A Web surfer may directly use an IP address instead of a domain name to bypass URL guards. The seventh usage form allow you to activate or deactivate the usage of IP addresses instead of a domain name. To allow the usage of IP addresses, turn the guard IP off. To disallow the usage of IP addresses, turn the guard IP on. Please note that by disallowing the usage of IP address in URLs you can block the usage of networks such as TOR.
apply (1) authenticate (1) mode (1) urllist (1)
CacheGuard Technologies Ltd <www.cacheguard.com>
Send bug reports or comments to the above author.
Copyright (C) 2009-2024 CacheGuard - All rights reserved