CacheGuard-OS
User's Guide - Version UF-2.1.3


URL Guarding (URL Filtering)

The URL guarding (URL Filtering) feature allows you to restrict the Web usage by filtering unwanted URLs in your organisation. This feature is based on blacklists (denied) or white lists (allowed) of domains and URLs. This way you can give access only to allowed websites enumerated in your white lists or deny contents enumerated in your blacklists. A default guarding policy can be configured for all users. There is also the ability to configure specific guarding policies based on end users IP addresses.

A very simple example is a school. In such an organisation young children should have very restrictive access to the Web while teachers and other staff may have lesser restrictive access. To configure a very restrictive guarding policy you may use white lists of allowed Web content for classrooms. To configure a lesser restrictive policy for the staff you may deny only unwanted Web content (aggressive, porn, drugs...) and allow everything else by using blacklists.

To define a URL list named "WebMail", use the following command: This command creates an empty URL list named "WebMail". The content of a URL list should be loaded from files located on a trusted file server (FTP or TFTP). A file server is declared trusted with the command "access file".

The content of a URL list is defined in three compressed (gzip format) text files having the same base name but different extensions according to the content of those three files :

The first file should have the ".domains.gz" extension and contain a list of domain names. Only one domain name is allowed per line. Note that domain names enumerated in such a file should be base domain name without any prefixes. For instance "example.com" is a good eligible base domain name while "www.example.com" is not a good candidate.

The second file should have the extension ".urls.gz" and contain a list of URLs. A URL is in the form <domain-name>/<uri> where the <domain-name> is a fully qualified domain name. Only one URL is allowed per line.

Finally the third file should have the extension ".expressions.gz" and contain a list of regular expressions. Only one regular expression is allowed per line. When using regular expression lists, every accessed URL is verified against regular expressions and in case of a pattern matching access that URL is rejected.

To set the content of the previous URL list "WebMail" from the two files "WebMail.domains.gz" and "WebMail.urls.gz" located on the TFTP file server "172.18.2.1", use the following commands:

After creating URL lists, two methods are available to define a guarding policy for a given subnet: The "deny" method with blacklists and the "allow" method with white lists. Like any other feature present in the appliance, the guarding feature may be activated or deactivated at any time. To activate the guarding feature, use the following commands:

Automatic update

URL lists can be updated automatically on a daily or weekly basis. To activate the automatic daily update for the URL list named "WebMail" from ftp://ftp.cacheguard.net/DF/WebMail use the following command: Please refer to the guard command documentation for further information.

Filter clients

Filtering URLs for users can be based on the source IP address, the access time and an LDAP authentication request. A guard rule defines who can access what. To define a guard rule you have to first create policies and filters. A policy is the combination of several filters. To create a policy applied to users with an IP address ranging from 172.18.2.10 to 172.18.2.100 who use the Web between 8:00AM and 5:00PM and belong the LDAP group "cn=worker,ou=groups,dc=example,dc=com" use the following commands: In this example "myNetwork", "myHours" and "myRequest" are respectively names chosen for IP range, access time and authentication request. "memberUid" specifies the LDAP attribute used to store the login name given by the end-user during the authentication. The "objectclass=posixGroup" is the request to retrieve the user on the LDAP server. Please refer to the "authenticate" command for further information related to LDAP authentication. Finally "myPolicy" is the name chosen for policy.

Deny rules (with Blacklists)

A "deny" rule consists of forbidding the access to Web objects defined in blacklists for a group of users defined by a policy so Web content not included in those blacklists are allowed. To forbid the access to "WebMail" sites for the users defined by the previously created policy named "myPolicy" use the following commands:

Allow rules (with White lists)

An "allow" rule consists of authorising the access to Web content defined in white lists only while access to Web content not present in those white lists are forbidden. To restrict users defined by the previously created policy named "myPolicy" to access only to "WebMail" sites use the following commands: