Results 1 to 9 of 9
  1. #1
    Newbie
    Join Date
    Oct 2017
    Posts
    8

    Default Blocking Favicon requests to local website

    I host a web site (on a non-standard port) locally.
    I'd like to be able to block remote browser requests for a favicon from my site. I provide none and the refused requests burden my web site log. I tried configuring both Untangle's (13.1) Web Filter and Application Control rules to block such requests, without success.
    As parsed by my web site log, the requests look like the examples below:

    >GET /apple-touch-icon.png HTTP/1.1
    > Host: <redacted>:<redacted>
    > Accept: */*
    > Cookie: HFS_SID_=0.285281714517623
    > User-Agent: MobileSafari/602.1 CFNetwork/811.5.4 Darwin/16.7.0
    > Accept-Language: en-ca
    > Accept-Encoding: gzip, deflate
    > Connection: keep-alive

    Other requests are similar:
    >GET /favicon.ico HTTP/1.1
    ...
    or
    >GET /apple-touch-icon-120x120-precomposed.png HTTP/1.1
    ...
    or
    >GET /apple-touch-icon-precomposed.png HTTP/1.1
    ...

    Is there a way to block favicon requests originating remotely destined for a server behind an Untangle UTM?

  2. #2
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,494

    Default

    If I understand things correctly, a session is a session regardless of where it starts. Thus the Web Filter app can work in both directions, and it might do the job via Block Site entries for each of the common favicon url requests... but only if your site is still using http, and not https. I doubt you'll be able to get random web users to trust your untangle CA in the way needed for SSL inspection.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 13.1 to protect 700Mbits for ~400 residential college students and associated staff and faculty

  3. #3
    Newbie
    Join Date
    Oct 2017
    Posts
    8

    Default

    My guess, too, was that web filtering would be bi-directional, i.e. blocking web access requests originating from a LAN behind Untangle to sites beyond the WAN as well as blocking web access requests originating from beyond the WAN to sites behind Untangle.

    In the Web Filter, as a test, I first attempted to block on the condition "HTTP:Request File Extension => ico, png". That worked for requests from the LAN but not so the other way around. I had hoped that by adding a condition that the source interface = my WAN interface, I'd have been good to go. And yes, my site is using HTTP.

  4. #4
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,494

    Default

    Instead of using the "Rules" tab, try entries in the "Block Sites" tab with the full URL from each of the common favicon requests you've seen.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 13.1 to protect 700Mbits for ~400 residential college students and associated staff and faculty

  5. #5
    Newbie
    Join Date
    Oct 2017
    Posts
    8

    Default

    That was a good idea.
    As a test, I added the entire site I host locally to the Blocked Sites list.
    Connections were still allowed coming from the Internet.
    Also, even with my site blocked, connections are allowed from the LAN, too.
    To clarify, I'm connecting to my site from a LAN host by directing its traffic through a VPN service (using Untangle's Tunnel VPN app)
    so as to get an external IP address, avoiding hairpinning.

    As I mentioned, my site listens on a non-standard TCP port (12345, say).
    Does the Web Filter app require server ports to be standard ports (80, 443) or pre-defined ports in order to be processed?

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    22,202

    Default

    Web Filter only filters on the standard ports yes, and it doesn't care what direction the traffic flows in. The only module that does is the Spam Blocker.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Newbie
    Join Date
    Oct 2017
    Posts
    8

    Default

    Thanks. I was afraid of that.

    Not a huge deal, but the fix for my case is clumsy. I added a VLAN adapter to Untangle. Requests to my web site are port forwarded to a matching VLAN adapter on an upstream router while mapping the destination port from non-standard to TCP 80. The upstream router then maps the traffic to the hosted web site with the port changed back to its original value. Finally, I added a rule to Web Filter to block .ico and .png HTTP extension requests going through the new VLAN adapter. I'll have to wait and see if it all works.

    I guess Web Filter would be ineffective if an external HTTP proxy server is used - one that listens on port 8080 or 3128 as examples.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    22,202

    Default

    I'm not quite sure why you want Web Filter scanning ingress traffic though, historically speaking for me that doesn't end well. The Virus Blockers can and will bury your CPU if they're scanning all of your own content. So typically I use policies to direct ingress web traffic into a rack that only has firewall and IDS on it.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Newbie
    Join Date
    Oct 2017
    Posts
    8

    Default

    The reason for filtering inbound HTTP traffic is as I stated: requests for favicon files cause log clog and I'd like to stop it.
    Now, I could not log those particular requests or give in and provide a favicon file. However, I think I should be able to choose a third option - block those requests - seeing how all the tools to do so appear to be available in Untangle.

    As it is, I think I may be stuck with option 4 - suck it up and suffer. My set up is not yet blocking requests for .ico and .png files.
    Inbound requests are being forwarded toward the server after translating the requested server port to TCP 80, as described above, but I'm not catching favicon requests.
    Maybe the port translation is done after Web Filter inspection and so the chance to catch favicon requests is lost.

    I'm not sure what you mean by virus blockers burying the CPU. The local web site only serves files to users. It doesn't accept anything but user credentials and requests. Over the past month, the peak CPU load (1 minute avg) was 2.67 and there were only 4 instances within that period CPU Load exceeded 2. I'm very lightly loaded.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2