Content filter not working or me missunderstanding it?

Elleni · January 19, 2020, 10:00pm

I have web Proxy & Filter activated and in Filter / configuration / edit / black & whitelist there is a field blocked extensions with: exe, zip. So why I still can download exe files? For example I tried to download thunderbird.exe and it was allowed. How is it possible to deny the users to download different filetypes?

Also in email / filter the setting at the bottom under attachements / advanced, where I can add extensions to the predefined doc,odt - when I try to save, there is an error while executing nethserver-mail/filter/update.

flatspin · January 20, 2020, 9:07am

Hi Elleni,

what configuration do you use? Tranparent with SSL?
Did you use cockpit or old server manager?

I found, that with cockpit the fileextension is not saved.
Can you please verify with
config show squidguard
The BlockedFileType property is not changed on my system when using cockit.
If yes, it is a bug.

Elleni · January 20, 2020, 12:18pm

Hello flatspin,

I use transparent - but not with ssl. Yes, I setup and configure system with cockpit.

config show squidguard does not return anything.

flatspin · January 20, 2020, 2:33pm

In Terminal it should return something like this:

config show squidguard
squidguard=configuration
    BlockedFileTypes=exe
    CustomListURL=
    DomainBlacklist=youtu.be,youtube.com
    DomainWhitelist=windowsupdate.com,microsoft.com
    Expressions=disabled
    IdleChildren=5
    Lists=shalla
    MaxChildren=20
    RedirectUrl=
    RedirectUrlHTTPS=blocked.nethserver.org:443
    StartupChildren=5
    UrlBlacklist=
    UrlWhitelist=

Please show output of
rpm -qa nethserver-squid*

Elleni · January 20, 2020, 5:05pm

It does now, dont know, I rebooted the server inbetween and was playing around, but now it shows

[root@hostname ~]# config show squidguard
squidguard=configuration
    BlockedFileTypes=exe,zip
    CustomListURL=[/code]
    DomainBlacklist=translate.google
    DomainWhitelist=mydomain.local,ip
    Expressions=disabled
    IdleChildren=5
    Lists=toulouse
    MaxChildren=20
    RedirectUrl=
    RedirectUrlHTTPS=blocked.nethserver.org:443
    StartupChildren=5
    UrlBlacklist=
    UrlWhitelist=

Maybe a typo… Anyway.

rpm -qa nethserver-squid* nethserver-squidclamav-3.1.0-1.ns7.noarch nethserver-squid-1.10.5-1.ns7.noarch nethserver-squidguard-1.9.2-1.ns7.noarch

Just tested, I could still download thunderbird setup.exe @thunderbird.net. And I still cannot successfully modify and safe extensions list in spamd filter settings.

By the whay how where can I change redirect url?

flatspin · January 21, 2020, 8:02am

It’s here the same. I can download exe-files although they’re should be blocked. Maybe a limitation of filtering https.

To change the redirect url please have a look at:

Example of cgi-file:

github.com

NethServer/nethserver-squidguard/blob/master/root/var/www/cgi-bin/nethserver-block.cgi

#! /usr/bin/perl 
#
# Explain to the user that the URL is blocked and by which rule set
#
# Original by Pål Baltzersen 1999 (pal.baltzersen@ost.eltele.no)
# French texts thanks to Fabrice Prigent (fabrice.prigent@univ-tlse1.fr)
# Dutch texts thanks to Anneke Sicherer-Roetman (sicherer@sichemsoft.nl)
# German texts thanks to Buergernetz Pfaffenhofen (http://www.bn-paf.de/filter/)
# Spanish texts thanks to Samuel GarcÃa).
# Rewrite by Christine Kronberg, 2008, to enable an easier integration of
# other languages.
#

# By accepting this notice, you agree to be bound by the following
# agreements:
# 
# This software product, squidGuard, is copyrighted (C) 1998-2008
# by Christine Kronberg, Shalla Secure Services. All rights reserved.
# 
# This program is free software; you can redistribute it and/or modify

This file has been truncated. show original

flatspin · January 21, 2020, 2:10pm

@Elleni

Do you have “Block file extensions” enabled?

grafik

You find it in “Edit Filter” / 2nd “What” / “Advanced Options”

Elleni · January 22, 2020, 7:50am

After having setup completely new installation, as I changed from internal ourdomain.local to external ourdomain.work, I checked again.

I can add extensions to web proxy filter. Yes, block extensions is activated. I tried with the following two files and could still download them: Thunderbird.net and sqlexpress express download. For testing purpose I also added pdf to the extension list, and I could still access them.

Within mail proxy I still cannot safe the extension list when adding some extension like exe and or zip. Executing nethserver-mail/filter/update in terminal shows:
No such file or directory

flatspin · January 22, 2020, 12:03pm

I tried several time to configure it, but I wasn’t able to block such downloads too.
I’ve to say, never tested it before. But I’m also out of ideas for the moment.

Has someone an idea what’s wrong @ support_team?

EDIT: Now I found the corresponding threat

It seems it’s a limitation of filtering https-trafic, as I assumed earlier.

cswain · January 24, 2020, 5:02pm

Unencrypted HTTPS only shows the domain (www.google.com) it doesn’t see any of the path or parameters.

Elleni · January 24, 2020, 7:37pm

Does that mean, that it is not possible to filter all those extensions at all, if they are downloaded from https?

Elleni · February 21, 2020, 2:20pm

Can someone please confirm? Do I understand correctly that filtering file extensions is not possible for https connection but only for unencrypted http, or is this a bug?

Andy_Wismer · February 21, 2020, 2:48pm

Hi

File extensions with https DO pose a problem in my experience.
Especially when we’re talking about proxy or filtering…

Our clients have NO problems saving files with .exe extensions, be it word.exe, thunderbird.exe or cryptoransom.exe…

My 2 cents
Andy