2017/10/18 10:02 CCProxy Server Software has all-around filter functionality. It can realize Internet filter and Web filter, no matter basing on the content or the site itself.
Web filter can effectively control the web sites that clients want to visit. Web Filter Web filters can effectively restrict clients accessing to particular web sites. 'Account - Web Filter'. Web Filter Name is used to define different web filter rules. Site Filter: Input the sites you want to filter in the edit box. Site filter supports wildcard character (,?). Multiple sites should be divided by semicolon.
For example:.yahoo.com;???hotmail.com; Also you can define port filter. For example:.yahoo.com:443;.hotmail.com:80; You can also input a web filter file name here. The web filter file format is one web filter for one line. For example:.yahoo.com;.hotmail.com;.bbc.com:443;.msn.com:443; Note: For secure websites you need to add port number:443 at the end otherwise the secure site will not be allowed or filtered. Permitted Sites: the clients can only access the sites which are included in the site filters. Forbidden Sites: the clients can not access the sites which are included in the site filters. Advanced DNS Filter: Input the address here.
Forbidden URL: You can define the URL filter here. You can input whole or partial URLs.
For example: Forbidden URL is different from Site Filter. Site Filter only applies to the web host name and port, whereasForbidden URL applies to the whole URL address.
Forbidden Content can filter web pages with specific characters. If the web page includes such characters, it will be banned. Input the characters you want to name in the edit box. Multiple characters should be divided by semicolon.
For example: chat;travel. Notes: This step is only to define a web filter rule. If you want to apply it to a specific account, you should edit the account's properties and select the web filter rule for the account. Time Schedule (Control On-line Time, Access Time Control) Time schedule is used to control the clients' on-line time. 'Account - Time Schedule'.
Time Schedule Name is used to define different time schedule rules. Sunday to Saturday: This is used to set different on-line time schedules for business days. You can edit time schedule directly in the edit box or click the button besides edit box.
In the popup 'Time Table' dialog box, there are 24 time range choices. Note:'01:00' means Internet access is allowed from 00:00 to 01:00. 'Apply to,' means the time control of the day is only effective for checked choices. Notes: This step is only to define a time schedule rule. If you want to apply it to the specific account, you should edit the account's property and select the time schedule rule for this account.
Some Samples of Internet Web Filter Management. How to block some certain sites for clients Suppose you want to block Yahoo and CNN sites. Open 'Account Manager' dialog box. Click 'Web Filter' button and open the 'Web Filter' dialog box.
Click 'New' button. Enter 'filter-yahoo' in 'Web Filter Name'. Check 'Site Filter' and 'Forbidden Sites'. Enter 'yahoo.;cnn.' In the edit box of 'Site Filter'. Click 'Save' and 'OK' button. Back to 'Account Manager' dialog box.
Select one client and click 'Edit' button. Check 'Web Filter' and choose 'filter-yahoo' from the list box. Click 'OK' button. Now the client unable to access Yahoo and CNN. How to allow only several certain sites for clients Suppose you want to allow clients only access www.youngzsoft.net. Open 'Account Manager' dialog box. Click 'Web Filter' button and open the 'Web Filter' dialog box.
Click 'New' button. Enter 'permit-youngzsoft' in 'Web Filter Name'. Check 'Site Filter' and 'Permitted Sites'. Enter 'youngzsoft' in the edit box of 'Site Filter'. Click 'Save' and 'OK' button.
Back to 'Account Manager' dialog box. Select one client and click 'Edit' button. Check 'Web Filter' and choose 'permit-youngzsoft' from the list box. Click 'OK' button. Now the client can only access www.youngzsoft.net. How to block sites with certain content Suppose you want to block sites that contains 'chat'.
Open 'Account Manager' dialog box. Click 'Web Filter' button and open the 'Web Filter' dialog box. Click 'New' button.
Enter 'filter-chat' in 'Web Filter Name'. Check 'Forbidden Content'.
Enter 'chat' in the edit box of 'Forbidden Content'. Click 'Save' and 'OK' button. Back to 'Account Manager' dialog box.
Select one client and click 'Edit' button. Check 'Web Filter' and choose 'filter-chat' from the list box. Click 'OK' button. Now the client cannot access any sites that contains 'chat'. How to block some exercisable files from Internet. Open 'Account Manager' dialog box. Click 'Web Filter' button and open the 'Web Filter' dialog box.
Click 'New' button. Enter 'filter-exe' in 'Web Filter Name'. Check 'Forbidden URL'. Enter '.exe.bat.pif.msi' in the edit box of 'Forbidden URL'. Click 'Save' and 'OK' button.
Back to 'Account Manager' dialog box. Select one client and click 'Edit' button.
Check 'Web Filter' and choose 'filter-exe' from the list box. Click 'OK' button. Now the client cannot download exercisable files. How to limit bandwidth for clients. Open 'Account Manager' dialog box.
Select one client and click 'Edit' button. Enter '4096' in the 'Bandwidth'. Click 'OK' button.
Now the client's bandwidth is 4Kb/s. If you only want to limit upload bandwidth, please go to CCProxy 'Options' - 'Advanced' - 'Networks'.
You can select the bandwidth control type from 'Bandwidth Control Apply for'. How to block some certain ports for clients Suppose you want to block port 1863 (MSN messenger port).
Open 'Account Manager' dialog box. Click 'Web Filter' button and open the 'Web Filter' dialog box. Click 'New' button. Enter 'filter-port-1863' in 'Web Filter Name'. Check 'Site Filter' and 'Forbidden Sites'.
Enter ':1863' in the edit box of 'Site Filter'. Click 'Save' and 'OK' button. Back to 'Account Manager' dialog box.
Select one client and click 'Edit' button. Check 'Web Filter' and choose 'filter-port-1863' from the list box. Click 'OK' button.
Now the client cannot access port 1863 and MSN messenger. How to customize the 'Forbidden' page. Open 'Options' dialog box. Click 'Advanced' button. Click 'Customize' button. You can change the 'Account auth failed message', 'Web site filter message' and 'Web content filter message'.
Click 'OK' button.
Some users might use tor browser to bypass the control of company firewall, and makes your firewall useless. In this topic, I will guide you to block tor browser traffic in your network with WFilter ICF(internet content filter). Define tor browser protocol New a “torbrowser” protocol in “System Settings”-”Protocols”. New pattern, choose “TLS2″ type, “Offset” as “0″, “Pattype” as “Regular Expression”.
Patterns: “ x01 x02 x02 x02 x03 x00 x0F x00 x01 x01$”. Save settings and apply the changes. Deploy a tor blocking policy Add a blocking policy, set “Torbrowser” to “Deny” in “applications”. Apply this policy to certain client devices. Test and checking After above steps, the tor browser shall not be able to establish a tor network connection. In “live connections” of WFilter, you can see “tor browser” being blocked. In previous posts, we’ve discussed various method of Wi-Fi authentication, including “username & password authentication”, “wechat Wi-Fi” and “facebook Wi-Fi” SMS Wi-Fi requires clients to input a mobile phone number to receive an access code before visiting internet.
So the internet provider can record clients phone numbers for marketing or security purpose. In this post, I will guide you to enable SMS Wi-Fi authentication in WFilter NG firewall. First, you need to setup a SMS service. WFilter send SMS messages via web API, so you need to setup a SMS web service at first. The SMS web service can be in locale or internet.
Free Content Filter Software
In this practice, I setup an alibaba cloud account and downloaded the php SDK. The SDK is setup in a local web service. I also modified the SDK demo to get “phone” and “code” from web POST parameters. Second, enable SMS authentication in WFilter. In “Web Auth”, you need to choose “SMS” auth type. The “SMS API URL” is configured as the local SDK demo URL. When a client want to visit internet, a web portal will appear.
The client needs to input a correct phone number to receive the access code. In WFilter account login history, you will be able to see the ip address, mac address and phone number of Wi-Fi clients. Clients internet activities will also be recorded. More details about “web authentication” can be found at here.
To save internet bandwidth and raise productivity, administrators need to know bandwidth usage and internet activities in business networks. There are network firewall appliances with this ability, while in this post, I will introduce several software monitoring solutions. Passby monitoring on a mirroring port. “Port mirror” is a feature of manageable switches or routers. With “port mirroring”, you can get a copy of packets from other ports.
So you can setup a software program in the target port pc to monitor all network traffic. This is called as “passby monitoring”. The network diagram: With installed, you will be able to monitor bandwidth, internet activities and deploy internet access policies. Screenshots: 2.
Internet Content Filter Software
SNMP-based monitoring Comparing to “port mirroring”, SNMP-based monitoring is easier to setup with less features. However, it’s also very convenient to monitor bandwidth with SNMP. Below are screenshots from PRTG. Linux network bridge Network bridge is more powerful, with the ability to monitor traffic, allocate bandwidth, filter internet activities A network bridge shall be deployed between your router/firewall and switch. To setup a network bridge, you need a pc with two network cards(wired adapters only). I would recommend you to use as the operation system. It’s a dedicated linux distribution for internet content filtering and firewall.
Below are screenshots from WFilter NGF. Most business networks are now providing WiFi access for employees and customers. Since everyone can access WiFi network, unauthorized access will bring virus attack and intruders. So you need to pay more attention to your network security.
Usually, you have below options:. Set WiFi users in a separator VLAN, which shall only have limited access to enterprise resources.
This is the first door to keep intruders out. Enable user authentication for WiFi users. Enable ip-mac binding for WiFi users. Record internet usage history for WiFi users, including IP, MAC, visited websites.
In this post, I will introduce the “Web Auth” feature of WFilter NG firewall. For WiFi clients, the most widely used authentication is “Web Authentication”(Portal Authentication). Clients won’t have internet access until authenticated in a web portal. For IOS and windows, the web portal will show up automatically.
User & Pass Authentication When enabled, WiFi clients will be required for username and password. Various authentication method are supported, including “Local Auth”, “Email Auth”, “Ldap Auth” and “Radius Auth”. If you have an existing ldap domain, you can authenticate with domain users. Users also can authenticate with email accounts. You also can define local users in WFilter for authentication.
Remote radius server is also supported. You can set internet access policy, query history and reports based on usernames. 2. Third Party Auth “Third party authentication” is designed for marketing purpose. You have “wechat WiFi” and “facebook WiFi” in default. When enabled, users shall checkin in your facebook page to access internet.
WFilter NGF has a built-in API library for developers to manipulate the entire system or integrate WFilter features. With APIs, you’re able to:. 1. Get bandwidth history. Get online users, including ip, mac, account, live connections. Terminate user connections, kick off user. 4.
Add/remove user from virtual group to apply policies. Extend user expire date. In this post, I will use an API example to demonstate the API library usage of WFilter NGF. The requirement is simple: “a API call to set access policy and bandwidth rate limit for an ip address”. First, we need to setup WFilter NGF. Because “access policy” and “bandwidth shaper” are separate modules in WFilter NGF, we need to setup a virtual group with policies applied.
In the API call, we only need to add IP addresses into the virtual group to apply the rules. 1.1) New a “limited access” virtual group. 1.2) Setup policies to this group. Use php to call WFilter API. Now, we’ve setup policies for the virtual group. To implement policies to an IP address, we only need to add this IP into this group.
We have a php SDK, you need to include the WFilterNGF.php to call the API functions. Isn’t it simple? You may check more details in. If you have any suggestions or requirement, please feel free to. Torrent downloading is annoying and can consume most of your bandwidth, so you might want to block torrent in your network. There are several ways to block torrent in your network. While in this post, I will introduce three solutions to block torrent(bittorrent, utorrent, qtorrent) with WFilter internet content filter and WFilter NG firewall.
Please be aware that “WFilter internet content filter(ICF)” and “WFilter NG firewall(NGF)” are total different products. WFilter ICF is a windows program, which is designed for pass-by deployment on a mirroring port. While WFilter NGF is a dedicated linux firewall system. Block torrent with WFilter ICF As you can see in the diagram, the WFilter internet content filter(ICF) shall be connected to a mirroring port in your router or switch. So it can analysis network packets and deploy internet access policies. Steps to block torrent with WFilter ICF: 2.
Block torrent with WFilter NGF as a network bridge. Network topology diagram: WFilter NGF acts as a network bridge, sitting between your router and switch.
So it can filter internet traffic. 3. Block torrent with WFilter NGF as a network gateway. Network topology diagram: In this topology, WFilter NGF acts as the gateway of your network to deploy internet access policies. Please be aware that you can install WFilter NGF in a virtual machine to act as a virtual gateway, here is a guide: You can setup “application control” policies to block torrent with below steps: When deployed and configured properly, both WFilter ICF and WFilter NGF can block torrent completely. All torrent clients will have zero uploading and downloading speed. WFilter ICF homepage: WFilter NG homepage: WFilter videos. For security purpose, you might want to bind ip address with MAC address for client devices.
There are several IP-mac binding solutions, including ARP binding, port-based binding In this post, I will introduce the steps to setup port-based IP-MAC binding in your switch. Cisco 2950 Syntax of cisco 2950 port-based IP-MAC binding.
Switch#config terminal Switch(config)#Interface fastethernet 0/1 Switch(config-if)#switchport port-security mac-address xxxx.xxxx.xxxx ip-address 192.168.x.x 2. Huawei S5700 Syntax of Huawei S5700 port-based IP-MAC binding. #interface GigabitEthernet 1/0/1 #user-bind mac-addr xxxx-xxxx-xxxx ip-addr 10.100.11.2 Other models have similar syntax. Port-based binding in switch is powerful, but it’s rather complicated to setup and maintaince, especially when you have a lot clients. However, IP-MAC binding in gateway is easier to setup, also with powerful features, please check below screenshots in WFilter NG firewall.
WFilter NGF When configured, DHCP clients will be assigned with static ip addresses; clients not matching the ip-mac binding relationship will be blocked. With the “IPSec VPN” module in WFilter NGF, you can build a secure site-to-site VPN by a few clicks. In this post, I will demonstrate a typical usage of site to site ipsec vpn. Please check the diagram at first. When successfully configure, A,B,C will have full access of each other. Please check below steps: Suppose you have 3 networks:.
Headquarter A, static public ip address, LAN subnet is 192.168.10.0/24. Branch B, PPPoE internet access, LAN subnet is 192.168.30.0/24. Branch C, PPPoE internet access, LAN subnet is 172.16.1.0/24.
Now let me guide you to build a virtual private network(VPN) for these three locations. 1 Settings for Headquarter A. Setup the IPSec tunnel. Enable forwarding of branches Without this setting, branches can access headquarter, but no access between branches. 2 Branch B. Setup the IPSec tunnel. Add a routing rule to branch C Set branch C’s LAN subnet to “Destination”, set headquarter A’s public IP to “Gateway”.
Without this routing rule, branch B can not access branch C. 3 Branch C. Setup the IPSec tunnel. Add a routing rule to branch B Set branch B’s LAN subnet to “Destination”, set headquarter A’s public IP to “Gateway”. Without this routing rule, branch C can not access branch B. By above steps, A,B,C are now in a virtual private network. If you don’t want access between B and C, there is no need to add the firewall and routing rules.
You may have an old desktop PC sitting in a closet or somewhere. Did you know that you still can make it useful? In this guide, I will demonstrate the steps to turn your old pc into a network firewall appliance. First, please check what you need to prepare. 1.1) an old desktop pc. 1.2) a gigabit ethernet adapter.
1.3) a usb stick. Mount the ethernet adapter and connect the cables. There is only one onboard ethernet adapter, so I need to add another PCI adapter. The green chip on left is the new added ethernet adapter. Now let’s connect the cables.
Install WFilter NGF system. Now you can install WFilter NGF with your usb stick. Please check a more detailed guide at here: You shall be able to the console upon successful installation. Set your laptop to “dynamic ip address” and open in browser, you can access webUI to set the system up. See what I get. The CPU is “Intel Pentium Dual CPU E2160 1.8G”, 2GB DDR2 RAM, 160G harddisk.
Let’s check the performance. Wow, it can handle 200+ clients with 20K concurrent connections. Isn’t it amazing?
For more features of WFilter NGF, please check.