URL filtering (manual)

mbox (HSG/CMG/HSA) supports URL filtering based on DNS blacklist/whitelist, and allows administrator to configure list of URLs to permit or deny. We can configure a manual list via CLI, or integrate with SafeDNS for category based URL filtering. 

There are several ways to filter URLs accesses:

This document will focus on using mbox DNS reject/resolve feature (#3) for URL filtering and logging.

URL blacklisting (deny some URL, permit all others)

URL blacklisting is basically to deny/disallow certain URL accesses only and permit everything else. To achieve URL blacklisting, we simply need to configure DNS reject for this target domain. DNS reject is an extension of our DNS rewrite feature to "spoof" target domain/URL DNS resolution to a fake IP 0.0.0.0, therefore denied.

All other DNS requests are passed to upstream name-server for normal resolution (therefore permitted).

CONFIGURATION STEPS

ip name-server 8.8.8.8 8.8.4.4
firewall-dnat 99 redirect inbound eth1 udp dport 53 rdport 53 remark "intercepts client DNS requests"firewall-input 99 permit inbound eth1 tcp dport 53  remarks "permit access to local DNS service"
ip host hotmail.com reject

NOTE: if we define a domain here, the sub-domain URLs will also be blocked. For example, if we block yahoo.com, all other subdomain URLs (eg. xxx.yahoo.com) will be blocked. If you just want to block a particular URL only, try to be as specific as possible 

CONFIGURATION EXAMPLES

In this configuration guide, we configure HSG  for DNS filtering and also use it  as a syslog server. Refer to this section for details on mbox logging.

hostname mbox!interface eth 0 description "Connection to WAN/Internet" enable ip address dhcp!interface eth 1 description "Connection to LAN switch" enable ip address 10.1.1.1/24 dhcp-server  description "Configure mbox to assign IP to internal users"  dns 10.1.1.1  range 10.1.1.10 10.1.1.100!ip host splash.ransnet.com 2.1.2.1 rewriteip host macc.ransnet.com 2.1.2.1 rewriteip host hotmail.com rejectip host playboy.com rejectip host yahoo.com reject!ip name-server 8.8.8.8 8.8.4.4!firewall-dnat 10 redirect all udp dport 53 src 192.168.0.0/16 rdport 53!firewall-input 10 permit inbound eth1 udp src 10.1.1.0/24 dport 53 remark "permit DNS query"!firewall-access 10 permit outbound eth0 remark "permit all outbound access"!firewall-snat 10 overload outbound eth0 remark "hide all internal private IP to WAN interface IP"!security log-server log-input 10 accept tag unbound log-input 11 accept msg mboxfw data-lifetime 3  start!

Once above is configured, connect your PC to the LAN port (either to eth1 or to a switch connected to eth1). Verify the configuration by trying to connect to the blocked sites and other non-blocked sites. You will not be able to browse the sites in the blocked list and should have no problem accessing to other sites. For HSG, login to mbox GUI, check live logs, you will see the URL live logs.

URL whitelisting (allow some URL, block all others)

URL whitelisting is "opposite" to blacklisting. Basically, you want to allow certain URL access only, and everything else should be blocked. To achieve this objective, we will use a combination of mbox DNS reject and resolve features. 

CONFIGURATION STEPS

ip name-server 8.8.8.8 8.8.4.4
firewall-dnat 99 redirect inbound eth1 udp dport 53 rdport 53 remark "intercepts client DNS requests"firewall-input 99 permit inbound eth1 tcp dport 53  remark "permit access to local DNS service"
ip host . reject 
ip host google.com resolve

NOTE: if we define a domain here, the sub-domain URLs will also be blocked. For example, if we block yahoo.com, all other subdomain URLs (eg. xxx.yahoo.com) will be blocked. If you just want to block a particular URL only, try to be as specific as possible 

CONFIGURATION EXAMPLES

In the config example, we will permit facebook, whatsapp and some google services only, and deny everything else. Below shows a snip of the config.

!ip host . rejectip host akamai.net resolveip host akamaihd.net resolveip host akamaized.net resolveip host facebook.com resolveip host facebook.net resolveip host fbcdn.net resolve   ip host gmail.com resolveip host dns.google resolveip host google-analytics.com resolveip host google.com resolve  ip host google.com.sg resolveip host googleadservices.com resolveip host googleapis.com resolveip host googlesyndication.com resolveip host googletagservices.com resolveip host googleusercontent.com resolveip host googlevideo.com resolveip host gstatic.com resolveip host youtube.com resolveip host gvt1.com resolveip host gvt2.com resolve ip host gvt3.com resolve    ip host whatsapp.com resolveip host whatsapp.net resolve!

As you can see from above, configuring whitelisting is a lot harder than blacklisting, because some sites or services require more than one domains. Eg. accessing to facebook will require permitting several domains.

Try to be "specific" with tcpdump so that you don't get overwhelmed with the amount of output in a live network. In below example, we use tcpdump to find out DNS (udp/53) resolution results only for user source IP 192.168.1.252 (your testing PC IP), so that we can find out which sites (DNS requests) are blocked (DNS returned 0.0.0.0). Then we can add them to resolve list if they're meant to be permitted.

mbox# tcpdump interface br-eth1 port 53 detail host 192.168.1.252tcpdump: listening on br-eth1, link-type EN10MB (Ethernet), capture size 65535 bytes17:14:11.538894 IP (tos 0x0, ttl 64, id 37878, offset 0, flags [DF], proto UDP (17), length 61)    192.168.1.252.45622 > 8.8.4.4.53: [udp sum ok] 3440+ A? ssl.gstatic.com. (33)17:14:11.541167 IP (tos 0x0, ttl 64, id 7645, offset 0, flags [DF], proto UDP (17), length 77)    8.8.4.4.53 > 192.168.1.252.45622: [bad udp cksum 0xcefa -> 0xa74a!] 3440* q: A? ssl.gstatic.com. 1/0/0 ssl.gstatic.com. [0s] A 0.0.0.0 (49)17:14:12.957045 IP (tos 0x0, ttl 64, id 38041, offset 0, flags [DF], proto UDP (17), length 51)    192.168.1.252.36793 > 8.8.4.4.53: [udp sum ok] 44262+ A? hp.co. (23)17:14:12.958626 IP (tos 0x0, ttl 64, id 38042, offset 0, flags [DF], proto UDP (17), length 51)    192.168.1.252.39748 > 8.8.4.4.53: [udp sum ok] 44842+ AAAA? hp.co. (23)17:14:12.959198 IP (tos 0x0, ttl 64, id 7713, offset 0, flags [DF], proto UDP (17), length 67)    8.8.4.4.53 > 192.168.1.252.36793: [bad udp cksum 0xcef0 -> 0x83ee!] 44262* q: A? hp.co. 1/0/0 hp.co. [0s] A 0.0.0.0 (39)17:14:12.961060 IP (tos 0x0, ttl 64, id 7714, offset 0, flags [DF], proto UDP (17), length 51)    8.8.4.4.53 > 192.168.1.252.39748: [bad udp cksum 0xcee0 -> 0x7200!] 44842 q: AAAA? hp.co. 0/0/0 (23)17:14:22.680010 IP (tos 0x0, ttl 64, id 38921, offset 0, flags [DF], proto UDP (17), length 58)    192.168.1.252.52046 > 8.8.4.4.53: [udp sum ok] 7032+ A? facebook.com. (30)17:14:22.680392 IP (tos 0x0, ttl 64, id 38922, offset 0, flags [DF], proto UDP (17), length 58)    192.168.1.252.38573 > 8.8.4.4.53: [udp sum ok] 15933+ AAAA? facebook.com. (30)17:14:22.681708 IP (tos 0x0, ttl 64, id 7909, offset 0, flags [DF], proto UDP (17), length 74)    8.8.4.4.53 > 192.168.1.252.52046: [bad udp cksum 0xcef7 -> 0x8a30!] 7032* q: A? facebook.com. 1/0/0 facebook.com. [0s] A 0.0.0.0 (46)17:14:22.682934 IP (tos 0x0, ttl 64, id 7910, offset 0, flags [DF], proto UDP (17), length 58)    8.8.4.4.53 > 192.168.1.252.38573: [bad udp cksum 0xcee7 -> 0x6025!] 15933 q: AAAA? facebook.com. 0/0/0 (30)17:14:27.090577 IP (tos 0x0, ttl 64, id 39703, offset 0, flags [DF], proto UDP (17), length 58)    192.168.1.252.46360 > 8.8.4.4.53: [udp sum ok] 15616+ A? facebook.com. (30)17:14:27.092309 IP (tos 0x0, ttl 64, id 7984, offset 0, flags [DF], proto UDP (17), length 74)    8.8.4.4.53 > 192.168.1.252.46360: [bad udp cksum 0xcef7 -> 0x7ede!] 15616* q: A? facebook.com. 1/0/0 facebook.com. [0s] A 0.0.0.0 (46)17:14:29.194367 IP (tos 0x0, ttl 64, id 40074, offset 0, flags [DF], proto UDP (17), length 56)    192.168.1.252.59345 > 8.8.4.4.53: [udp sum ok] 16574+ A? google.com. (28)17:14:29.194744 IP (tos 0x0, ttl 64, id 40075, offset 0, flags [DF], proto UDP (17), length 56)    192.168.1.252.59132 > 8.8.4.4.53: [udp sum ok] 21769+ AAAA? google.com. (28)17:14:29.196559 IP (tos 0x0, ttl 64, id 8143, offset 0, flags [DF], proto UDP (17), length 72)    8.8.4.4.53 > 192.168.1.252.59345: [bad udp cksum 0xcef5 -> 0xafc3!] 16574* q: A? google.com. 1/0/0 google.com. [0s] A 0.0.0.0 (44)17:14:29.197809 IP (tos 0x0, ttl 64, id 8144, offset 0, flags [DF], proto UDP (17), length 56)    8.8.4.4.53 > 192.168.1.252.59132: [bad udp cksum 0xcee5 -> 0x6066!] 21769 q: AAAA? google.com. 0/0/0 (28)^C16 packets captured16 packets received by filter0 packets dropped by kernelmbox#