D-Link Forums
The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: silica on January 26, 2010, 01:46:51 AM
-
Hi, after a DFL-210 RESET, and only setting up some URLs to block, I noticed that HTTPS sites dont work at all.. No ebay sign in, no gmail, hotmail.. etc.. What could be causing this? Its all defautl except for
some URL blocked like facebook, etc...??
Regards
Robert
-
Do you get a blocked message or nothing at all?
What is the first rule in your IP rule list which would apply to HTTPS based on source interface and network, destination interface and network, and service?
-
Show your LAN->WAN rules and especially - your used HTTP ALG options.
-
i have the same problem there is no blocked mssage only keep loading and then stop like no internet service every thing is by default only block facebook cuz the lose of https and smtp any help plz here ??
-
Same question from you - same question to you - show your LAN->WAN rules and especially your used HTTP ALG options.
-
it is by default i changed nothing in it all what i did is create HTTP ALG and add facebook in black list then i use it in all_tcp service i did change nothing in ip rule, nothing is changed it is all by default
if you reset the DFL-210 then the wan is dhcp client every thing will work perfectly all web sites and and all smtp/pop service is working
then create an ALG and name it blacklist and add url in it then block *.facebook.com/* in it press ok
then use this ( blacklist) ALG in all_tcp service
save and activate without changing any thing in ip rule so it is still by default configration
the result is
1- facebook is BLOCKED good news
2-all https web site is not working (not appears blocked)
3-all smtp is not working also pop (not look like blocked too )
4-all http web sites work except those who i blocked ( facebook in this example )
so i changed nothing in ip rule it is all by DEFAULT (you can test that on you'r device)
thank you and hope you can give me help/fix
-
That is what I was trying to say earlier, you NEED a new rule with the service being HTTP and your ALG applied, do not apply ALG to all services.
-
well thats what i belive from the example that d-link provide but guess what after i applied this ALG to http service or https or all http service and try the ip rule in the example, in all service now all web site cant loading
so if you can tell me in which service i have to apply the ALG in and then what the rule i have to set
note : if i apply the ALG to only http without set the ip rule nothing well change all web site working and when i set a new rule like the d-link example all website keep try loading
thank you very much for ur answers
-
now i try all this ways
1- create ALG with facebook allowed and apply it in http service then set ip rule for http service with the right sitting like the d-link example so all websites keep loading (skype working )
2- on https same
3- on all_http same
so i have a problem with my company now cuz of just blocking facebook without lossing smtp and https web sites so if any one could help me with the right config file i can try it on my device i dont want any dhcp sitting or any kind of configration , wan is dhcp client and BLOCK FACEBOOK
CAN ANY ONE TRY IT ,,, IT IS NOT WORKING FOR ME I KNOW IT IS SIMPLE BUT IT IS NOT WORKING
hope any one have it work to send me the config file or just the right sitting
thank you so much and forgive my stuiped if im .
-
from a factory default DFL-210 running 2.26.00 the below script works for me.
add ALG ALG_HTTP new_http_alg Antivirus=Disabled FailModeBehavior=Allow RemoveActiveX=No RemoveApplets=No RemoveCookies=No RemoveScripts=No WebContentFilteringMode=Disabled
cc ALG ALG_HTTP new_http_alg
add ALG_HTTP_URL URL=*.facebook.* Action=Blacklist
cc
add Service ServiceTCPUDP new_http DestinationPorts=80 SourcePorts=0-65535 ALG=new_http_alg
add IPRule Action=NAT Service=new_http SourceInterface=lan SourceNetwork=InterfaceAddresses/lannet DestinationInterface=wan DestinationNetwork=all-nets Index=1 Name=new_http
-
i ll try it tommorow when i get in office and i ll let you know thank you for you'r reply and i hope it works as it works with you for both https and smtp
thx again
-
and it works with me too thank you so much it is work perfectly like a magic but why the example that d-link privide like a pdf is wrong ??
thank you anyway and best regards
-
I do not believe the PDF is wrong, I think it is just confusing.
-
I think all the pdfs from Dlink are crap, for that matter it better without PDFs.. they cant even write a pdf properly step by step... This forum is much better, all help has been very good.
Next time it wont be a dlink ill sell to any company.
-
i think pdf's are a great, and most important FREE help to understand how to get the benefits of netdefend firewalls.
To attain good skill managing any platform you have to dedicate hours of study and practice.
Dlink offering of this documents free its a added value, other brands rely only on expensive and exclusive certification programs to get even basic skills.
Unfortunately in Colombia 20 hours of basic dti Dlink certification cost the same as 80 hours of cisco CCNA, what makes it unprofitable, its better weighted on a curriculum a Cisco certification than a Dlnk certification
-
I am sorry you don't like the PDFs, I wish you the best of luck in the future.
Also while discussing configuration resources the FAQs on http://support.dlink.com tend to be a little easier to follow if the PDFs are a little too abstract or not verbose enough for you.
If you are having the opposite problem and need to know the technical aspects of ANY given command the manual and CLI manual are VERY VERY specific. This is why they would use a solid ream of paper if printed (I know I have a copy of them that was printed).
If we still aren't addressing your documentation needs then drop a line in the thread stickied at the top of this board asking for documentation requests. The people who write the FAQs for this product do check that board, though given the complete lack of interest from customers, they may give it up.
As for this specific issue, the problem tends to be that people don't consider rule order, which is why my script made the HTTP ALG rule the first one.
-
I'm exactly one step past this post. The filter works perfectly with this setup. However, if you type https://www.facebook.com it allows access to the site because the http_new only specifies port 80. If you include port 443 in there, all secure sites become blocked. Everything. If it has an https prefix to the address, the page will not load.
Any ideas?
-
I just posted a response to your issue in another thread. In the future, try to keep your issue on a single thread for ease of management and following your particular issue.