|
Edit an Internet Filter Definition |
[Top] [Previous] [Next] | |||||||||
The chapter above, entitled "Create an Internet Filter Definition", explains how to create an Internet filter definition. This chapter shows you how to open an existing filter file for editing and describes the options in NetMan Desktop Manager for adapting URL-based and process-based filter rules.
Open an Internet filter definition for editing
To modify an Internet filter definition, open it for editing in the NetMan Center:
1. Select the filter: Click the Filter button:
2. Open the Internet Filter view: Click on Internet filter in the sidebar to open the Internet Filter view:
3. Double-click filter definition: Double-click on the desired filter definition to edit it:
The selected filter definition is opened in the Editor for Internet filter Files. For details on editing Internet filter files, see "Editor for Internet Filter Files". The following describes the options available for editing URL-based and process-based Internet filters:
Edit a URL-based Internet filter
In addition to the simple methods shown so far for permitting access to domains, the Editor for Internet Filter Files also lets you write complex sets of rules. There are certain conventions, described in the following, that must be observed to ensure that your rules produce the desired results.
Filtering FTP and HTTPS addresses presents a special case. The default setting in the Internet filter is to treat all unspecified addresses as "excluded" and block access to them. This applies to FTP and HTTPS addresses as well. These must be explicitly "permitted" if you wish to permit access to them. Due to the limitations of these protocols, however, access privileges must be enabled at the host-name level. This is why the editor for Internet Filter Files does not include a mechanism for excluding FTP and HTTPS addresses. Furthermore, when you enter these addresses, the protocol must be specifically named. Rules that permit access to an FTP address, for example, should look something like this:
The same applies for entering an HTTPS address.
Keep in mind that blacklisting an FTP address does not prevent the user from pointing the browser to that address. The files at that site, however, cannot be downloaded or opened.
The NetMan Internet filter mechanism can filter HTTP addresses on different levels:
•by explicit URL
•on the URL level
•on the host-name level
•on the domain level
This means you can permit access to a given domain and still block access to particular URLs in that domain. For example, you can permit access to the information on a given website, but block downloads from that site.
In addition to entering filter rules, you can use the "Link Images" function in the editor's browser window to write rules. This features highlights all hyperlinks, with permitted and excluded addresses indicated:
The example shows a filter file for the Internet domain of the New York Times. All hyperlinks that do not lead to another domain are automatically permitted. To activate the "Link Images" view, click on Link Images in the Ribbon. To deactivate a hyperlink, click with the mouse on the corresponding link image. This opens the Define access rules dialog:
In this example, the user is blocked from following the ad link. This is implemented on the URL level to ensure that all links of this type at this site are affected:
The image now shows that the hyperlink is blocked. The link image shows you at a glance what hyperlinks are contained on a page as well as what effects your filter file will have.
When you click on link images to define rules, the corresponding data is automatically written in the list of permitted and excluded addresses:
The list of rules is processed from top to bottom. The order in which the rules appear in this list can have significant consequences for the results of processing. For example, to permit a certain address at a site that is excluded on the host-name or domain level, the following list would not result in the desired effect:
When the browser is pointed to "nytimes.com/pages/politics/" address, the filter mechanism would first process the rule that excludes access to this host. Since the domain is already excluded, the address specified afterwards is excluded as well. The solution is to put the rules in the following order:
The "nytimes.com" call is now blocked, but the pages under "/politics" are allowed.
If neither of the methods described above is sufficient for what you need, click on the New button at the top of the Permitted/excluded address list and select Create rule using a regular expression:
Then you can enter a regular expression to define a permitted or excluded URL.
Edit a process-based Internet filter
Some applications access the Internet without calling any explicit Internet address or using any Internet protocol. You may wish to prevent this access, too, as it could open the door to unauthorized Internet access for your users. You can stop such access attempts by creating a process-based Internet filter. Unlike URL-based filter definitions, a process-based Internet filter prohibits all Internet access, including indirect access attempts that come from program processes. In your Internet filter definition, you can create rules that permit access to particular Internet addresses. To make it easier to find out which URLs you need to permit in order to ensure trouble-free execution of a given program, you can have the Editor for Internet Filter Files record all the URL calls made by that program. There are two recording modes to choose from:
•Record all Internet calls initiated by the specified program. In this case, you can also define whether child processes are included in the recording.
•Recording all processes running in your system that entail Internet activity.
To record the Internet access attempts made by a specified application, begin by creating an Internet filter for this purpose and configure it to monitor the processes of a specified executable file, either with or without its child processes. When you open the process-based Internet Filter Definition for editing, both the Editor for Internet Filter Files and the program you wish to monitor are launched. This is the test mode for process-based Internet filter definitions. Your NetMan Desktop Manager system now behaves as though the filter is actively in use. Each Internet access attempt made by the monitored program is logged in the URLs called window:
You can use these URLs to define rules in your process-based Internet filter definition that permit access to selected Internet sites. Double-click on a called URL to create a rule using all or part of the Internet address in that URL:
Keep in mind that some applications cannot launch if no Internet access is possible. We strongly recommend testing your Scripts before you activate a process-based Internet filter, to make sure your applications can execute without Internet access.
System services and system processes are not affected by the NetMan Internet Filter mechanism.
Once you have created an Internet filter and modified it as desired, it must be allocated before it can be put in active use. For details on allocating Internet filters, see "Allocate an Internet Filter".