Dear William, The exact netperm-table details for HTTP service is as follows # HTTP netacl-httpd: permit-hosts 127.0.0.1 -policy HTTP-Trusted -exec /usr/local/etc/http-gw netacl-httpd: permit-hosts 10.0.0.0:255.0.0.0 -policy HTTP-Trusted -exec /usr/local/etc/http-gw netacl-httpd: permit-hosts * -policy http-plug-gw_Untrusted -exec /usr/local/etc/plug-gw -as http-plug-gw http policy-HTTP-Trusted: permit-proxy netacl-httpd http-gw # Level 3 Web Site Blocked policy-HTTP-Trusted: deny-destination 206.251.29.10 policy-HTTP-Trusted: deny-destination 209.132.88.50 policy-HTTP-Trusted: deny-destination 209.54.65.54 209.54.65.4 209.54.69.3 policy-HTTP-Trusted: deny-destination 202.70.13.5 # Real Estate Web Site Blocked policy-HTTP-Trusted: deny-destination 202.72.14.34 policy-HTTP-Trusted: deny-destination 202.72.14.76 policy-HTTP-Trusted: deny-destination 202.77.168.90 policy-HTTP-Trusted: deny-destination 202.71.250.248 policy-HTTP-Trusted: deny-destination 209.143.136.94 policy-HTTP-Trusted: deny-destination 202.135.53.169 policy-HTTP-Trusted: permit-destination * policy-http-plug-gw_Untrusted: permit-proxy netacl-httpd Please advise!! Peter -----��l�l��----- �H���: william.wells <[EMAIL PROTECTED]> �����: 'Peter' <[EMAIL PROTECTED]> ���: 1999�~2��12�� AM 06:09 �D��: RE: Gauntlet Firewall http proxy problem >Without seeing your configuration, let me through out a few ideas- > >Netacl will do its destination checking based on what it sees at the time it >executes. I'm assuming that you have it configured such that it "exec"s >http-gw. > >If your users come in transparently, netacl will probably do its validation >on the eventual destination's IP address since it knows that. If the proxy >to the browser, then it will do its checks on the firewalls IP address since >it doesn't know that the URL is going to be redirected. In this case, the >http-gw proxy also needs to have the same destination rules since its would >know the destination based on the URL scan. > >I'm also assuming that you are not using the GUI for this since the GUI >doesn't handle netacl's with HTTP. If you are using the GUI, make sure you >review the netperm-table text to see the interaction between the netacl's >you add and what the GUI does; especially check for a "permit-destination *" >somewhere. > >> -----Original Message----- >> From: Peter [SMTP:[EMAIL PROTECTED]] >> Sent: Wednesday, February 10, 1999 10:37 PM >> To: william.wells >> Cc: [EMAIL PROTECTED] >> Subject: Re: Gauntlet Firewall http proxy problem >> >> Dear William, >> >> Actually, I have set destination restrictions in the netperm-table for all >> users. Apparently, it works but if some users set http proxy option at >> browsers in IE or Netscape as firewall internal IP address:80, then all >> web >> pages can access regardless our http restriction. >> >> Do you know what I mean & can you help me >> >> Peter >> >> -----��l�l��----- >> �H���: william.wells <[EMAIL PROTECTED]> >> �����: 'Peter' <[EMAIL PROTECTED]> >> ���: 1999�~2��11�� PM 12:07 >> �D��: RE: Gauntlet Firewall http proxy problem >> >> >> >This question is probably unrelated to your question. Are you setting >> >restrictions based on the destination or source? We'd like to block >> ActiveX >> >for all destinations other than Microsoft. >> > >> >As for your question, I'm not sure what you mean by Level 3. I've done a >> >fair amount of configuration of the netperm-table so I might be able to >> help >> >if no one else responds. I'd need to know the applicable rules though. >> > >> >> -----Original Message----- >> >> From: Peter [SMTP:[EMAIL PROTECTED]] >> >> Sent: Wednesday, February 10, 1999 7:41 PM >> >> To: [EMAIL PROTECTED] >> >> Subject: Gauntlet Firewall http proxy problem >> >> >> >> We have installed Gauntlet Version 4.1 on Solaris machine & we use >> >> netacl-http instead of http. We have set HTTP restriction to >> particulars >> >> hosts by denying some Level 3 destination at netperm-table. >> Apparently, >> >> it >> >> works but if user set http proxy option at browsers as firewall >> internal >> >> IP >> >> address:80 (port 80), then all web pages can access regardless our http >> >> restriction. >> >> >> >> Does anyone can help me? >> >> >> >> Peter >> >> >> >> >> >> - >> >> [To unsubscribe, send mail to [EMAIL PROTECTED] with >> >> "unsubscribe firewalls" in the body of the message.] >> >> >> - >> [To unsubscribe, send mail to [EMAIL PROTECTED] with >> "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
