Thursday, June 15, 2006

URL Paths 2

From the comments of my original post about URL Paths:

<qoute src="Jon Cavallo">
You can put *.com in the URL Paths. You need to enter it as '/*.com'

I use the /*.x convention on all my extension blocking. This helps prevent them from wildcarding some other part of a complex url.
</quote>

You are totally right, this is a better way to implement extension blocking with URL Paths. Thanks

Sunday, June 11, 2006

CLI

Did you know that fireware also has a command line interface.
You can SSH to your box on port 4118.
You can login with:
Username = admin
password = Your read-write password.

You can do all sorts of things from the command line.
I use it as a replacement for the 'Restart IPSec' function that was in WFS but not in fireware.

To clear individual BOVPN, MUVPN, or PPTP tunnels:
WG#no vpn-tunnel ipsec enter-ID-of-the-BOVPN-tunnel-here
WG#no vpn-tunnel muvpn enter-ID-of-the-MUVPN-tunnel-here
WG#no vpn-tunnel pptp enter-the-physical-IP-address-of-the-PPTP-client-here

To find out the ID of a tunnel:
WG#show vpn-tunnel ike-gateway
WG#show vpn-tunnel ipsec
WG#show vpn-tunnel muvpn
WG#show vpn-tunnel pptp

Very usefull but remember:
<quote src="Nathan Buff">
There is a CLI but the CLI creates configurations that are not compatible with the GUI-based Policy Manager. For this reason, the CLI is only supported when the Firebox is running in Common Criteria mode.
</quote>

Saturday, June 03, 2006

URL Paths

I mainly use the URL Paths function of the HTTP Proxy for blocking file extensions. Here is a list of extension that I deny:

*.acf
*.ade
*.adp
*.ani
*.arj
*.bas
*.bat
*.cab
*.chm
*.class
*.cmd
*.clp
*.cpl
*.cur
*.dat
*.dcr
*.dif
*.fav
*.hhk
*.hhp
*.hlp
*.ht
*.hta
*.htt
*.htx
*.hqx
*.idc
*.inf
*.ins
*.isp
*.jar
*.jav
*.java
*.job
*.lnk
*.m3u
*.mad
*.maf
*.mam
*.maq
*.mar
*.mat
*.mcw
*.mda
*.mdb
*.mde
*.mdn
*.mdt
*.mdv
*.mdw
*.mht
*.mnd
*.mp3
*.mpc
*.msi
*.msp
*.mst
*.nws
*.odc
*.ofn
*.ogg
*.pbk
*.pcd
*.pif
*.pip
*.pls
*.pot
*.ppa
*.ppz
*.pwz
*.ra
*.ram
*.rar
*.rat
*.reg
*.rjs
*.rm
*.rmm
*.rmp
*.rmx
*.rpm
*.scf
*.scr
*.sct
*.shs
*.slk
*.smil
*.tar
*.url
*.vb
*.vbd
*.vbe
*.vbx
*.vxd
*.wab
*.wiz
*.wma
*.wsc
*.wsf
*.wsh
*.wsz
*.zip

Notice that the file extension *.com is missing. I hope you can guess why.
You can also use the URL Path function for some more advanced filtering. I use it to prevent my users from turning off the safe search for google image search.

Rule name: Google_images_Safe_Search_Off
Pattern match: images.google.*/*safe=off*