Software Release 2.3.1

23

per line. Options are supplied after the entry and a colon. Each option is separated by a space.

The option keywords that are allowed for each entry are “allow” and “nocookies”. The “allow” option will explicitly allow the URL, or part of the URL, given on the line. This is useful for exceptions to a deny filter or a given keyword. The “nocookies” option specifies that the proxy should not accept cookie requests from the domain or URL given, and implicitly allows the URL. Comments may be placed in the file using a # character on the beginning of the line. White space before and after an entry does not affect the parsing of the file but there must be white space between the URL and colon for the options. After the colon, white space is not needed but there must be white space between each option specified. Empty lines are also allowed. Note that all URL entries without options are considered to be denied.

How specific the URLs are determines the order of precedence of the entries in the file. For example, www.plant.com/this/is/a/url/grow.html would have more precedence than a entry containing www.plant.com/this. Also, if the allow option is specified it will have greater precedence than a similar entry with deny. Finally, keywords in the file have the least precedence. They are only applied to sections of the URL not part of the closest fitting URL entry.

Figure 6 contains an example of a URL filter file.

In order to edit the contents of the list generated from the HTTP filter file held in the firewall policy, it must be deleted from the firewall policy (using the DELETE FIREWALL POLICY HTTPFILTER command), edited and then added to the firewall policy again. Alternatively, the file may be edited. Optionally, restarting the device will reload the filter file. Editing alone does not alter the configuration held in the policy. No more than 5 URL filter files may be attached to a policy at one time.

The DIRECTION parameter specifies the direction of HTTP sessions to which the filter is to be applied. If IN is specified the filter will apply to HTTP requests that originate on the public side of the firewall (inbound). If OUT is specified the filter will apply to HTTP requests that originate on the private side of the firewall (outbound). The default value is OUT.

URL filters will have no effect unless the specified policy also has an HTTP proxy configured with a direction that matches the direction specified for the URL filter.

For example, to add the contents of the file banned.htp to the HTTP filter of firewall policy zone1 for filtering outbound HTTP sessions, use the command:

ADD FIREWALL POLICY=zone1 HTTPFILTER=banned.htp

Software Release 2.3.1 C613-10325-00 REV B

Page 23
Image 23
Allied Telesis AT-AR300 manual ADD Firewall POLICY=zone1 HTTPFILTER=banned.htp