How To: Block sites accessed by IP Address

Silver Bullet · 03-01-2008, 05:29 PM

I have seen a couple forum topics asking about blocking sites that are accessed by it's IP address to get around the Web Filter. Well, here is how this is done using the Protocol Control module.

Click Show Settings on the Protocol Control Module.

Select the Protocol List tab

Click the green + sign to create a new rule.

You should have a new line appear green in the rules list.

In the Category cell, enter Block Access by IP

In the Protocol Cell, enter Access by IP

Check the Block and check the Log cells

In the Description Cell, enter Block requests made with IP address

In the Signature Cell, enter

Code:

(GET|POST|HEAD) [^ ]+ HTTP.*host: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b

Click Save

Now try to access a site by it's IP address. You should get a blank page and an Event should show up as blocked in the Protocol Control module's Event Log.

I have tested this and it seems to work fine. What that signature does is checks the "host" field in the request and if it contains an IP address in an http request, then it blocks it.

Have Fun enforcing the Web Filter!!

Thanks Seb for helping me fine tune it.

Silver Bullet · 03-01-2008, 07:59 PM

Edited the signature in the original post so that it should only apply to HTTP traffic.

mdh · 03-03-2008, 07:26 AM

HOT STUFF!

tcbroonsie · 03-04-2008, 09:58 AM

Thank you for sharing this tip. It works great!

MSoucy · 03-04-2008, 01:31 PM

Thank YOU!

One more step closer to only having one box for my firewall/filter

Silver Bullet · 03-04-2008, 05:11 PM

Quote:

Originally Posted by MSoucy

Thank YOU!

One more step closer to only having one box for my firewall/filter

What else is keeping you?

IA76 · 05-01-2008, 02:34 PM

Thanks. Just what I needed.

fartman · 05-06-2008, 03:47 AM

Thanks, tested in 5.10 and it works.

Ron Chandy · 05-06-2008, 05:59 AM

"WOW" silver Bullet that was great stuff. IS there a system to block email addresses also. I have started a thresd on it..

impmonkey · 05-12-2008, 12:52 PM

Thank you for this. Infact back in school I used to get around the filters by using IPs so this is great.

03-01-2008, 05:29 PM	#1 (permalink)
Silver Bullet Untangle Ninja Join Date: Sep 2007 URLs submitted: 3 Posts: 1,981	How To: Block sites accessed by IP Address I have seen a couple forum topics asking about blocking sites that are accessed by it's IP address to get around the Web Filter. Well, here is how this is done using the Protocol Control module. Click Show Settings on the Protocol Control Module. Select the Protocol List tab Click the green + sign to create a new rule. You should have a new line appear green in the rules list. In the Category cell, enter Block Access by IP In the Protocol Cell, enter Access by IP Check the Block and check the Log cells In the Description Cell, enter Block requests made with IP address In the Signature Cell, enter Code: (GET\|POST\|HEAD) [^ ]+ HTTP.host: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b Click Save Now try to access a site by it's IP address. You should get a blank page and an Event should show up as blocked in the Protocol Control module's Event Log. I have tested this and it seems to work fine. What that signature does is checks the "host" field in the request and if it contains an IP address in an http request, then it blocks it. Have Fun enforcing the Web Filter!! Thanks Seb for helping me fine tune it. Last edited by Silver Bullet; 03-01-2008 at 07:54 PM.. Reason: Edited rule*

05-06-2008, 05:59 AM	#9 (permalink)
Ron Chandy Master Untangler Join Date: Feb 2008 Posts: 117	"WOW" silver Bullet that was great stuff. IS there a system to block email addresses also. I have started a thresd on it.. __________________ No defeat is final untill you give-up trying,

03-01-2008, 07:59 PM	#2 (permalink)
Silver Bullet Untangle Ninja Join Date: Sep 2007 URLs submitted: 3 Posts: 1,981	Edited the signature in the original post so that it should only apply to HTTP traffic.

03-03-2008, 07:26 AM	#3 (permalink)
mdh Super Moderator Join Date: Aug 2007 URLs submitted: 171 Posts: 3,757	HOT STUFF!

03-04-2008, 09:58 AM	#4 (permalink)
tcbroonsie Newbie Join Date: Mar 2008 Posts: 1	Thank you for sharing this tip. It works great!

03-04-2008, 01:31 PM	#5 (permalink)
MSoucy Untanglit Join Date: Sep 2007 URLs submitted: 29 Posts: 23	Thank YOU! One more step closer to only having one box for my firewall/filter

05-01-2008, 02:34 PM	#7 (permalink)
IA76 Untanglit Join Date: Mar 2008 Posts: 13	Thanks. Just what I needed.

05-06-2008, 03:47 AM	#8 (permalink)
fartman Untanglit Join Date: Mar 2008 Posts: 26	Thanks, tested in 5.10 and it works.

05-12-2008, 12:52 PM	#10 (permalink)
impmonkey Untangler Join Date: Apr 2008 URLs submitted: 2 Posts: 87	Thank you for this. Infact back in school I used to get around the filters by using IPs so this is great.