Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » HTTP Policy/Rules Not Working?
  •  
jplumb

Messages: 5
Karma: 0
Send a private message to this user
I'm kind of a new user of Kerio Winroute Firewall (currently using version 6.0.8 - I will upgrade to most current version soon).

As a test, I set up a simple rule under "Content Filtering > HTTP Policy" to block a specific website - "www.playboy.com". The rule is set up to block that website for ALL users, at all times of the day. For some reason, this rule does not prevent me from surfing to www.playboy.com. I moved the rule to the very top of the list, but I can still go to the website. The same thing happens if I set up other rules to block a specific website - I can still go there.

Also, I set up a "URL Group" called "Adult Websites" and I added "www.playboy.com" and "www.playgirl.com" to that group. Then, I set up a rule to block traffic to (URL Group) "Adult Websites". But that did not work either. I can still surf to those sites.

Anyone know why the rules would not be working?
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
HTTP Policy rules are applied to traffic with the HTTP protocol inspector enabled. By default the inspector is enabled. Check if the protocol inspector is enabled. You must check it at two places:
- at services. Should be on HTTP.
- at traffic rule, column protocol inspector (should be on default).

Also enable the logging for each HTTP policy rule. If one is browsing the filter log will show what rule is used.
  •  
jplumb

Messages: 5
Karma: 0
Send a private message to this user
Thanks for the reply. I did check those two places to make sure the protocol inspector is turned on (it is on "Default" at Services).

But, under "Configuration > Traffic Policy", I do not seem to have a rule specifically for HTTP traffic. When we set up Kerio Winroute Firewall, we basically just used all of the "default" rules that Kerio installs.

Do I have to have a specific rule for HTTP traffic set up in the firewall?
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
Try it with a specific http rule. Also enable logging at the http policies.
  •  
jplumb

Messages: 5
Karma: 0
Send a private message to this user
I set up a specific HTTP rule as follows, and moved it to the top of the list:

- Any User/Do not require authentication checked - even though it doesn't matter whether I have this checked or not, and I don't use authentication.

- URL begins with: www.playboy.com (I have also tried "http://www.playboy.com" and "*.playboy.com".

- Action: Deny Access

- Log: Checked.

On the ADVANCED tab,

- Valid Always.
- Show Denial Page (text: "denied"). Even though I have also tried "show blank page" and "redirect to URL", but nothing works.

Help...I think I'm going crazy. Razz
  •  
jplumb

Messages: 5
Karma: 0
Send a private message to this user
Ok, it gets weirder!

I just upgraded the firewall to the lastest version (6.0.11). I was using 6.0.8.

Now, if I make the rule SPECIFIC (www.playboy.com) - DENY, it actually works...sort of. I get a message saying: "Requested page cannot be found. Please contact firewall administrator."

Ok, so the firewall IS blocking that site.

BUT...in the advanced options, I told it to use specific denial text: "This page is not authorized, please contact extension 102.". The HTTP rule ignores my specific denial text and displays the generic message listed above.

Also, URL GROUPS still does not work. I modified the rule to read "is in group: adult websites"...and it still won't use the URL group rule.

Are these just bugs in the firewall?
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
You can ask for help at the Kerio helpdesk. The url is:

http://support.kerio.com/index.php?_a=tickets&_m=submit

I also have some problems with URL groups, reported them and they are working on it. I hope in the 6.1.0 release it will be fixed.

[Updated on: Mon, 06 June 2005 19:06]

  •  
jplumb

Messages: 5
Karma: 0
Send a private message to this user
Thanks, I will do that. I'm testing the HTTP rules again, and once again, it's not blocking anything. It worked once or twice, then it stopped paying attention to the HTTP rules again. (?)
  •  
Viktor

Messages: 10
Karma: 0
Send a private message to this user
Stop Winroute service.
Open winroute.cfg and find string <firewallexclude>.
If record is equal
<variable name="FirewallExclude">1</variable>
change record to
<variable name="FirewallExclude">0</variable>

The quantity <firewallexclude> is equal to quantity of network interfaces.



Previous Topic: How to setup PPPoE
Next Topic: Cannot Access Internet with Firewall On
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Nov 24 01:01:03 CET 2017

Total time taken to generate the page: 0.00459 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.