filter
Enable or disable outbound URL or HTML object filtering. (Configuration mode.)
[no] filter activex port local_ip mask foreign_ip mask[no] filter java port[-port] local_ip mask foreign_ip mask
[no] filter url port|except local_ip local_mask foreign_ip foreign_mask [allow]
clear filter
show filter
Syntax Description
Block outbound ActiveX, Java applets, and other HTML <object> tags from outbound packets.
java
Block Java applets returning to the firewall as a result of an outbound connection.
url
Filter Universal Resource Locators (URLs) from data moving through the firewall.
except
filter url only: Create an exception to a previous filter condition.
port
The Web traffic port. Typically, this is port 80, but other values are accepted. The http literal can be used for port 80.
port[-port]
filter java only: One or more ports on which Java applets may be received.
local_ip
The IP address of the highest security level interface from which access is sought. You can set this address to 0.0.0.0 (or in shortened form, 0) to specify all hosts.
local_mask
Network mask of local_ip. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.
foreign_ip
The IP address of the lowest security level interface to which access is sought. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.
foreign_mask
Network mask of foreign_ip. Always specify a specific mask value. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.
allow
filter url only: When the server is unavailable, let outbound connections pass through firewall without filtering. If you omit this option, and if the Websense server goes off line, firewall stops outbound port 80 (Web) traffic until the Websense server is back on line.
filter activex
The filter activex command filters out ActiveX, Java applets, and other HTML <object> usages from outbound packets. ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web page or other application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information.
As a technology, it creates many potential problems for the network clients including causing workstations to fail, introducing network security problems, or be used to attack servers.
This feature blocks the HTML <object> tag and comments it out within the HTML web page.
The <object> tag is also used for Java applets, image files, and multimedia objects, which will also be blocked by the filter activex command. If the <object> or </object> HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU, firewall cannot block the tag. ActiveX blocking does not occur when users access an IP address referenced by the alias command.
To specify that all outbound connections have ActiveX blocking, use the following command:
filter activex 80 0 0 0 0This command specifies that the ActiveX blocking applies to Web traffic on port 80 from any local host and for connections to any foreign host.
filter javaThe filter java command filters out Java applets that return to the firewall from an outbound connection. The user still receives the HTML page, but the web page source for the applet is commented out so that the applet cannot execute. Use 0 for the local_ip or foreign_ip IP addresses to mean all hosts.
If Java applets are known to be in <object> tags, use the filter activex command to remove them.
To specify that all outbound connections have Java applet blocking, use the following command:
filter java 80 0 0 0 0This command specifies that the Java applet blocking applies to Web traffic on port 80 from any local host and for connections to any foreign host.
filter url
Prevent outbound users from accessing World Wide Web URLs that you designate using the Websense filtering application.
The allow option to the filter determines how the firewall behaves in the event that the Websense server goes off line. If you use the allow option with the filter command and the Websense server goes offline, port 80 traffic passes through the firewall without filtering. Used without the allow option and with the server offline, firewall stops outbound port 80 (Web) traffic until the server is back on line, or if another URL server is available, passes control to the next URL server.
With the allow option set, firewall now passes control to an alternate server if the Websense server goes off line.
The Websense server works with the firewall to deny users from access to websites based on the company security policy.
Websense protocol version 4 enables group and username authentication between a host and a firewall. The firewall performs a username lookup, and then the Websense server handles URL Filtering and username logging.
Websense protocol version 4 contains the following enhancements:
- URL Filtering allows the firewall to check outgoing URL requests against the policy defined on the Websense server.
- Username logging tracks username, group, and domain name on the Websense server.
- Username lookup enables the firewall to use the user authentication table to map the host's IP address to the username.
Follow these steps to filter URLs:
- Designate a Websense server with the url-server command.
- Enable filtering with the filter command.
- If needed, improve throughput with the url-cache command. However, this command does not update Websense logs, which may affect Websense accounting reports. Accumulate Websense run logs before using the url-cache command.
- Use the show url-cache stats and the show perfmon commands to view run information.
Information on Websense is available at www.websense.com/
Examples
The following example filters all outbound HTTP connections except those from the 10.0.2.54 host:
url-server (perimeter) host 10.0.1.1
filter url 80 0 0 0 0
filter url except 10.0.2.54 255.255.255.255 0 0The following example filters all outbound HTTP connections received from a proxy server that sends Web traffic on port 8080:
filter url 8080 0 0 0 0