Category Archives: Content Filter

WFilter deployment with gargoyle router.

1. Gargoyle Router Introduction

Gargoyle is an OpenWrt distribution which aims to be easy to use through a simplified Web interface. Gargoyle can extend your wireless router into a powerful Linux system. even if your router hardware does not support “port mirroring” function, you can also enable traffic mirroring by software mirroring.

This blog will guide you to install “port-mirroring” program in your Gargoyle router and deploy WFilter for internet monitoring and filtering. We assume you already has an Gargoyle router, if not, please check Gargoyle homepage to get the latest firmware.

2. Port-mirroring program

Port-mirroring is an open source project sponsored by IMFirewall Software, it is designed to mirror network traffic on linux systems.

2.1. Installation

For detailed installation guide, please check Port-mirroring open source packet mirroring. In this guide, let’s take linksys wrt54g router as an example.

Steps:

a). opkg update.

b). opkg install http://port-mirroring.googlecode.com/files/port-mirroring_1.3-1_12.09_brcm47xx.ipk

Because gargoyle is based on openwrt attitude adjustment 12.09 branch, we need to install the build for openwrt 12.09.

2.2. Configuration

You need to edit /etc/config/port-mirroring to set the mirroring target and mirrored source interfaces.

In this example, we choose “eth0″ wireless adapter as the mirrored source interface.

2.3. Start Port-mirroring

/etc/init.d/port-mirroring start

3. Check monitoring in WFilter

Now WFilter shall be able to monitor client computers.

How to deploy WFilter with tomato router?

The “–tee” option of iptables can mirror network packets to a target ip address. With this feature, you can deploy monitoring easily when you have an embed Linux router.

In this tutorial, we will guide you to deploy WFilter using a Tomato router(firmware version: v1.28).

1. Enable SSH login in Tomato

Enable “SSH Daemon” in “Administration” – “Admin Access”.

2. Login into your Tomato router.

Login into your Tomato router using any ssh client.

3. Enable the ipt_ROUTE module.

For “–tee” option to work, you need to enable the “ipt_ROUTE” module, which is not enabled by default.

4. Add the iptables rule for packet forwarding.

In this example, we forward packets to “192.168.1.100″.

5. List and verify iptables rules.

You can list your iptables rules to check whether this rule is successfully added.

6. Add startup script.

If you want this rule to exist after router rebooting, you need to add these two commands into the startup scripts in “Administration – Scripts”.

modprobe ipt_ROUTE

iptables -A PREROUTING -t mangle -j ROUTE –gw 192.168.1.100 –tee


7. Check your WFilter settings.

Please notice, “iptables” will not forward original mac addresses of packets. Therefore, you can not use “by mac address” monitoring mode of WFilter, use “by ip address” instead.

Done.

How to deploy WFilter free with mikrotik routerOS(ROS)?

The “packet streaming” feature in RouterOS can send network packets to a network parser for analysis. In case when you don’t have a manageable switch, you can enable this feature for WFilter to monitor and filter network computers.

In this blog, I will demonstrate you to set up WFilter free for web filtering with RouterOS.

Enable Packet Streaming

In “Tools”->”Packet Sniffer”, choose the lan interface as the sniffer interface.

Set the WFilter server ip as the streaming server

Done, now you shall be able to monitor all network computers in WFilter Free or WFilter Enterprise.

Let’s add a blocking policy to check.

First, add a blocking level.

Block web surfing

Second, apply this blocking policy to target ip range.

Check blocking

How to deploy WFilter in a VMware ESXi server?

VMware ESX and ESXi server are widely used in business networks. This document will guide you to deploy WFilter in a ESXi server to filter internet traffic of virtual systems.

In a VMware ESXi server, WFilter can work both in “Pass-by” and “Pass-through” modes. For more details about these two modes, please check: WFilter deployment modes

It is simple for WFilter to work in “Pass-by” mode in a VMware ESXi server. You simply need to install WFilter in a VMWare virtual computer and allow “Promiscuous mode” of the virtual switch. However, because WFilter can not filter UDP traffic in pass-by mode, you also need to configure udp blocking in an up-layer router/firewall. Please check: How to block certain UDP ports in router/firewall?

In this tutorial, we will introduce you to deploy WFilter in pass-through mode in a VMware ESXi server.

Deploy WFilter in pass-through mode in a VMware ESXi server.

To deploy WFilter in pass-through mode on a VMware ESXi server, following conditions are required:

  1. A virtual computer with two adapters to install WFilter.
  2. At least two virtual switches.
  3. The two adapters shall be connected to different virtual switches.

As in below figure, the wfilter server “94-wfilter-server” is connected between “vSwitch0″ and “vSwitch1″. In this topology, all virtual computers in vSwitch1 will be monitored and filtered by the WFilter server “94-wfilter-server”.

Step 1, create a new virtual switch

As in below figure, a new virtual switch with no physical adapter is created.

Step 2, connect the two adapters to different virtual switches

To bridge the virtual switches, two adapters of the WFilter server shall be connected to different virtual switches.

Step 3, allow “Promiscuous mode” of virtual switches

The virtual switches connected to the wfilter server shall be configured to accept “Promiscuous Mode”.

Now, you also need to bridge the two adapters inside the WFilter server. And the WFilter program shall be configured to work in “Pass-through mode”. Please check this document for more details: Deploy WFilter in a windows network bridge.

How to whitelist yahoo mail and hotmail websites in WFilter?

How to whitelist yahoo email and hotmail websites?


Sometimes you might want to block all websites with exception. In that case, you can enable WFilter’s “website whitelist” to do this.


However, websites can be complicated with differenet images/ad/files hosts. It will require you to whitelist several domains for a webpage to be properly loaded. For example, mail.yimg.com is also requiried for images in yahoo email.


In this topic, I will demonstrate you to identify the required domains for a website.


First, add the domain into the exception list


Second, make a visit and check real-time blocking of WFilter.


Make a visit to this website and check “real-time blocking” or “Current Activity” in WFilter, you will see several blocking events. These domains are also required for this webpage.


Add more domains into the exception list


Add more blocked domains into the exception list until the website can be properly loaded.


In this example, for hotmail and yahoo mail to work, you need to add below list:


*mail.yahoo*


*mail.yimg.com


*.live.com


*.hotmail.com


*.wlxrs.com

How to set a redirect denial page in WFilter?

Sometimes you might want to redirect blocked websites to a new URL. To do this, you need to edit WFilter denial page in source mode.

This tutorial will guide you to configure a redirect denial page in WFilter.

First, edit a blocking level

Edit a blocking level and new a denial page. Please don’t forget to list your new URL in the exception list.

Second, edit the denial page in source mode.

A javascript code is required:

<script>window.location=”http://www.yourwebsite.com/…”;</script>

Third, uncheck “view source” and click “Save” to save the settings.

Please notice, click “save” after unchecking “view source”.

Done, now all blocked web request will be redirected to the new url.

More information, please check “WFilter Enterprise”.

Other related links:

How to block UDP ports in RRAS windows server 2003?
How to block internet downloading?
How to monitor internet usage on company network?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?
How to block HTTPS websites on my network?

Modify ESET personal firewall settings to make WFilter work.

All internet packets are required for WFilter to parse network activities. However, the ESET personal firewall blocks non-local computer network packets by default. Therefore, when the ESET personal firewall is enabled, WFilter can not monitor itself computer because other computer’s network packets are all blocked by ESET.

To make WFilter work with ESET personal firewall, you need to adjust the firewall settings.

The following example demonstrates how to configure ESET Smart Security 5.0:

1. Click “Setup” -> “Network” in ESET.

2. The filtering mode shall be “interactive filtering mode”.

3. Click “Configure rules and zones…” to set the rules.

In “Toggle detailed view of all rules” view, click “new” to creat a new rule.

The new rule is set to allow all TCP&UDP traffic. All other rules shall be disabled.

  1. Direction: Both
  2. Action: Allow
  3. Protocol: TCP & UDP
  4. Profile: For every

4. In “Advanced Personal firewall setup…”

Uncheck “Check TCP connection status” in “Packet inspection” section of “IDS and advanced options”.

Now your WFilter shall be able to work.

More information of disable ESET firewall, please check: http://kb.eset.com/esetkb/index?page=content&id=SOLN2113

WFilter 4.0 is coming.

WFilter 4.0 version will be released soon after nearly two years development.


The new version made a lot improvement and optimization of current features. Also a series of new features are added, such as “WFilter Dashboard”, “Central Management of WFilter servers”, “WFilter Local Account”, “Multi-adapter Monitoring”, and several new alert types. Below is a brief introduction to these new features:


1. WFilter Dashboard


WFilter Dashboard allow you to check the monitoring status, log storage status, system warnings from a central dashboard.



2. WFilter Servers Management


This feature enables you to manage several WFilter servers from a central localtion.



3. Default IP Policy


The “Default IP Policy” feature enables you to set different policies to different ip ranges, when a new computer found it’s default ip policy will be applied.



4. Search of Network Computers


You can use the “Search Computers” feature to search computers in your network. It’s more convenient than the passive computer finding in the old version.



5. More Alert Types


More alert types are added: disk space alert, new computer alert, ip address changing alert…



6. More Powerful Account Monitoring


WFilter’s “account monitoring” feature can integrate WFilter with your active directory. So you can deploy monitoring based on user accounts. The new version added “WFilter local accounts” feature. When you don’t have an available active directory, you also can use “WFilter local account” feature to monitor/filter by user accounts.


6.1 Integrate Active Directory





6.2 WFilter local account



7. Multi-adapters Monitoring


WFilter 4.0 can support monitoring on multiple adapters to support complicated networkings.


How to deploy internet monitoring and filtering in RRAS windows gateway?

Routing and Remote Access is a network service in Microsoft Windows Server 2008, Windows Server 2003, and Windows 2000 Server that can provides Network address translator (NAT) for connecting a private network to the Internet. An example network topology is as below:


Since all internet traffic goes through the RRAS server, it’s very simple for you to monitor and filter internet activities: “just install WFilter in this server.”


The RRAS server has two adapters: the internal NIC and external NIC, you shall be able to see two adapters in the “monitoring adapter settings” of “System Settings”->”Monitoring Settings”.


We recommend you to choose the internal NIC as the monitoring and blocking adapter, because you will be able to monitor, block and report on individual network computers.


However, if you choose the external NIC as the monitoring and blocking adapter, WFilter will treat the whole network as one computer, because the RRAS server will translate all subnet ip addresses to its public ip address.


We have noticed that some users prefer to monitor on the internal NIC to save license number, because you only need ONE 1-user license to monitor the public ip address. However, we recommend you not to do it, because this is not WFilter designed to work, and there might have an over-blocking issue for some p2p protocols.


 


More information, please check “WFilter Enterprise”.


Other related links:


How to block UDP ports in RRAS windows server 2003?
How to block internet downloading?
How to monitor internet usage on company network?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?
How to block HTTPS websites on my network?

How to identify computers in WFilter?

WFilter can monitor and filter computers internet activities in your network. In WFilter, two monitoring modes are available: “by ip address” and “by MAC address”. In “by ip address” monitoring mode, WFilter identifies a computer based on its ip address, while it identifies a computer based on its MAC address in “by mac address” monitoring mode.

However, if computers ip addresses are not fixed in your network. You might have trouble to identify a computer to set its monitoring/blocking policy.

This tutorial will introduce you several solutions to identify computers in your network in WFilter.

1. Monitor and block by AD users

Since WFilter can be integrated with Microsoft active directory, you don’t need to face the trouble of identifying computers if you have an available AD.

With “account monitoring” enabled, you can set blocking policy based on AD users, despite which computers they are using.

Please check this document for more details about “account monitoring”: How to do monitoring based on user accounts?

2. Identify computers by MAC addresses

With “by mac address” monitoring mode, WFilter identifies a computer by its MAC address. MAC address is assigned by the manufacturer of a network interface card (NIC) and are stored in its hardware. It won’t change unless the NIC hardware is replaced.

When you set a recording policy or blocking policy to one computer in “user-computer table”, certain settings will be bound to its mac address. Even its ip address is changed, certain settings will not be lost.

However, “By MAC address” monitoring mode is only available for single-segment networks, because a computer’s mac address can not be retrieved when it’s located behind a router.

Therefore, in a single-segment network, “by mac addresses” will be a good choice if your ip addresses are dynamic.

3. Identify computers by IP addresses

If your network is multi-segments, you only can use “by ip address” monitoring mode. Therefore, we recommend you to make ip addresses static in a multi-segments network. If you want to leave the ip addresses as dynamic, the only solution left is “Monitor and block by AD users” as discussed above.

More information, please check “WFilter Enterprise”.

Other related links:

How to block internet
downloading?

How to monitor
internet usage on company networks?

Internet monitoring
software for business

How to
filter web surfing?

How to block
websites and restrict internet access?

How to block HTTPS
websites on my network?

How to setup ip-mac binding in WFilter?
How to block facebook at work of network computers?