Blocco URL generale

[softmed]

Ciao
Per filtrare applicazioni web che non si gestiscono tramite i protocolli impieghiamo filtri di questo tipo:

ip inspect name msn appfw my-im-policy

appfw policy-name my-im-policy
application http
port-misuse im action reset
application im yahoo
service default action reset
service text-chat action allow
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
application im aol
server deny name login.oscar.aol.com
application im msn
server deny name hotmail.com
server deny name msn.com
server deny name hotmail.it
server deny name msn.it
server deny name messenger.hotmail.com
server deny name webmessenger.msn.com
server deny name messengerfx.fr
server deny name messengerfx.es
server deny name messengerfx.co.uk
server deny name www1.messengerfx.com
server deny name www2.messengerfx.com
server deny name www3.messengerfx.com
server deny name messengerfx.com


Abbiamo la esigenza di bloccare l'accesso ad altre applicazioni (ad esempio facebook.com) oppure bloccare l'accesso a URL arbitrari (ad esempio www.abc.it).
E' possibile creare un filtro sulla base di una lista di domini internet?

Grazie
Matteo

[emanuele.ciani]

ciao
devi abilitare il content filtering

con una lista locale al router io l'ho implementato con utilizzando il zone-based firewall

parameter-map type urlf-glob

questo ti spiega come fare utilizzando il trend micro ma se ometti la configurazione del server funziona anche in locale

https://www.cisco.com/en/US/prod/collat ... 92776.html

[softmed]

Con una lista locale posso quindi saltare la parte di collegamento verso servizio di terza parte, senza licenze a pagamento?
Grazie mille
Matteo

[emanuele.ciani]

si e molto limitato ma funziona

per esempio ho bloccato per unb cliente facebook e alcuni siti porno
il problema sorge per i siti https

[softmed]

Al momento dovrei proprio bloccare facebook. Mi potresti mandare qualche spunto dalla tua configurazione? Grazie mille!

Per gli HTTPS questo metodo non è applicabile?

Grazie
Matteo

[emanuele.ciani]

io l'ho configurato come segue

parameter-map type urlf-glob facebook
pattern facebook.com
pattern *.facebook.com

parameter-map type urlf-glob sitiok
pattern *

parameter-map type urlf-glob twitter
pattern twitter.com
pattern *.twitter.com

parameter-map type urlf-glob netlog
pattern netlog.com
pattern *.netlog.com


identifichi con questi comandi il traffico poi le inserisci


class-map type urlfilter match-any face
match server-domain urlf-glob facebook
match server-domain urlf-glob twitter
match server-domain urlf-glob netlog

class-map type urlfilter match-any siti
match server-domain urlf-glob sitiok


poi crei le policy

policy-map type inspect urlfilter socialnetwork
class type urlfilter face
reset
class type urlfilter siti
allow


con le relative azioni

inserisci questa policy all'interno della policy di direzione
policy-map type inspect in-to-outside
class type inspect http-content
inspect
service-policy urlfilter socialnetwork



poi la policy va inserita nel traffico di direzione nella configurazione a Zone del router

[softmed]

Grazie mille, visiono la documentazione e faccio dei test.
Matteo

[softmed]

Ciao
Sto controllando su router di modello 2801 e 877, non ritrovo i comandi che vedo nelle tue configurazioni.

Che versione di IOS impieghi?
Sotto elenco i parameter-map type che ho disponibili (non ce n'è uno del tipo urlf-glob) e tutte le opzioni disponibili nei 4 type (in nessuno trovo pattern)

Grazie
Ciao
Matteo


(config)#parameter-map type ?
inspect inspect parameter-map
mitigation Parameter map of type mitigation
tms Parameter map of type tms
urlfilter urlfilter parameter-map


(config)#parameter-map type urlfilter test
(config-profile)#?
parameter-map commands:
alert Enable alerts
allow-mode Turn on/off allow-mode
audit-trail Enable logging of URL information at router
cache Specify size of the cache and timeout value of cache
entries
exclusive-domain Specify the exclusive domain name
exit Exit from parameter-map
max-request Specify maximum number of pending request
max-resp-pak Specify the number of http responses that can be buffered
no Negate or set default values of a command
server Specify the URL filter server ip address
source-interface Specify source-interface for connection to server
urlf-server-log Enable logging of URL information at URL filter server


(config)#parameter-map type inspect test2
(config-profile)#?
parameter-map commands:
alert Turn on/off alert
audit-trail Turn on/off audit trail
dns-timeout Specify timeout for DNS
exit Exit from parameter-map
icmp Config timeout values for icmp
max-incomplete Specify maximum number of incomplete connections before
clamping
no Negate or set default values of a command
one-minute Specify one-minute-sample watermarks for clamping
tcp Config timeout values for tcp connections
udp Config timeout values for udp flows




(config)#parameter-map type mitigation test3
(config-profile)#?
parameter-map commands:
exit Exit from parameter-map
no Negate or set default values of a command
variable Action Variable name




(config)#parameter-map type tms test4
(config-profile)#?
parameter-map commands:
controller TMS controller information for registration
exit Exit from parameter-map
heartbeat TMS protocol heartbeat parameters
logging Logging options for TMS service
message TMS protocol message related parameters
no Negate or set default values of a command
registration TMS protocol registration parameters

[smallhungryrat]

player 09sc10zmc13sa report wow gold: World of Warcraft Brewfest Censored in Europe wow power leveling Brewfest, one of the funniest seasonal events in World of Warcraft arrived on the servers again this week, with one little quirk. Two of the related quests appeared to be bugged on the EU servers. Players reported the issue and it was quickly fixed, then suddenly un-fixed with an emergency restart of all EU servers to disable the quests again. wow gold Cue mass confusion. Things finally made sense after a Blizzard employee post; wow power leveling The Brewfest quests 'Pink Elekks On Parade' and 'Catch the Wild Wolpertinger!' were removed to ensure that World of Warcraft contains content that complies with regional game rating requirements. wow power leveling (source) wow gold It looks like political correctness and sensitivity has finally gone overboard.wow gold In a game where you end up killing thousands, participate in a (fantasy) war killing other players and where you actually have quests that involve torture, somehow seeing illusionary wolpertingers and pink elekks while completely smashed is not suitable by the PEGI rating system for 12+.wow power leveling There is some speculation that this is due to different wordings between ESRB and PEGI rating systems, with PEGI taking a harder stance on "simulated drug use", allowing for it only in 16+ rated games (and this bit where you see hallucinations when your character is drunk apparently qualifies). wow gold As these quests award coins that are required to complete a Brewfest achievement which is in turn required to complete a year-long meta-achievement that involves completing all different seasonal event achievements - and which rewards players with a special extra-fast flying mount... well,wow power leveling the forums are boiling with rage.wow gold While it is not technically impossible to still complete the achievement, the removal of these two quests will add at least one extra day of repeating other quests and limits what other rewards you can buy from the event beyond the ones required for the achievement.wow power leveling No word yet if Blizzard plans to compensate for the removal of these coin rewards. news wow