In this section
•Rules for Traffic Monitoring and Blocking of Access
The component uses the configuration parameters specified in the [LinuxFirewall] section of the unified configuration file of Dr.Web for UNIX Mail Servers.
The section contains the following parameters:
Parameter |
Description |
|||||
|---|---|---|---|---|---|---|
LogLevel {logging level} |
Logging level of the component. If the parameter value is not specified, the DefaultLogLevel parameter value from the [Root] section is used. Default value: Notice |
|||||
Log {log type} |
Logging method of the component. Default value: Auto |
|||||
ExePath {path to file} |
Component executable path. Default value: <opt_dir>/bin/drweb-firewall. •For GNU/Linux: /opt/drweb.com/bin/drweb-firewall. •For FreeBSD: /usr/local/libexec/drweb.com/bin/drweb-firewall |
|||||
XtablesLockPath {path to file} |
Path to the iptables (NetFilter) table blocking file. If the parameter value is not specified, the /run/xtables.lock and /var/run/xtables.lock paths are checked. If the file is not found in the specified path or default paths, an error occurs upon starting the component. Default value: (not specified) |
|||||
InspectFtp {On | Off} |
Scan the data transferred over the FTP protocol. The data will be scanned on the basis of the specified rules (see below). Default value: On |
|||||
InspectHttp {On | Off} |
Scan the data transferred over the HTTP protocol. The data will be scanned on the basis of the specified rules (see below). Default value: On |
|||||
InspectSmtp {On | Off} |
Scan the data transferred over the SMTP protocol (uses the Dr.Web MailD component). The data will be scanned on the basis of the specified rules (see below). Default value: On |
|||||
InspectPop3 {On | Off} |
Scan the data transferred over the POP3 protocol (uses the Dr.Web MailD component). The data will be scanned on the basis of the specified rules (see below). Default value: On |
|||||
InspectImap {On | Off} |
Scan the data transferred over the IMAP protocol (uses the Dr.Web MailD component). The data will be scanned on the basis of the specified rules (see below). Default value: On |
|||||
AutoconfigureIptables {Yes | No} |
Enable or disable the mode of configuring the rules for the NetFilter system component via the iptables interface. Allowed values: •Yes—automatically configure NetFilter rules upon starting the component and remove them upon finishing its operation (recommended); •No—do not configure the rules automatically. The required rules must be added manually by the administrator before starting the component and removed after it finishes its operation.
Default value: Yes |
|||||
AutoconfigureRouting {Yes | No} |
The configuration mode for ip route and ip rule routing rules and policies. Allowed values: •Yes—configure routing rules and policies for ip route and ip rule when launching the component and remove them when finishing its operation automatically (recommended); •No—do not configure the rules automatically. The required rules must be added manually by the administrator before starting the component and removed after it finishes its operation.
Default value: Yes |
|||||
LocalDeliveryMark {integer | Auto} |
The <LDM> mark for packets that are redirected to the Dr.Web Firewall for Linux network socket (specified in the TproxyListenAddress parameter, see below) to intercept the connection. Allowed values: •<integer>—<LDM> mark for packets. Equals 2N, where N is an LDM bit number in the packet, 0 ≤ N ≤ 31; •Auto—allow Dr.Web Firewall for Linux to select the appropriate bit in the packet mark automatically (recommended).
Default value: Auto |
|||||
ClientPacketsMark {integer | Auto} |
The <CPM> mark for packets transferred between the client that initiates the connection and Dr.Web Firewall for Linux. Allowed values: •<integer>—<СPM> mark for packets. Equals 2N, where N is an CPM bit number in the packet, 0 ≤ N ≤ 31; •Auto—allow Dr.Web Firewall for Linux to select the appropriate bit in the packet mark automatically (recommended).
Default value: Auto |
|||||
ServerPacketsMark {integer | Auto} |
<SPM> mark for packets transferred between Dr.Web Firewall for Linux and the server that receives the connection. Allowed values: •<integer>—<SPM> mark for packets. Equals 2N, where N is an SPM bit number in the packet, 0 ≤ N ≤ 31; •Auto—allow Dr.Web Firewall for Linux to select the appropriate bit in the packet mark automatically (recommended).
Default value: Auto |
|||||
TproxyListenAddress {network socket} |
Network socket (<IP address>:<port>) on which Dr.Web Firewall for Linux receives intercepted connections. If you specify a zero port number, it is selected automatically by the system.
Default value: 127.0.0.1:0 |
|||||
OutputDivertEnable {Yes | No} |
Enable or disable the interception mode for incoming connections (i.e. connections initiated by applications on the local host). Allowed values: •Yes—intercept and process outgoing connections; •No—do not intercept or process outgoing connections.
Default value: No |
|||||
OutputDivertNfqueueNumber {integer | Auto} |
Number of the NFQUEUE queue from which Dr.Web Firewall for Linux will retrieve SYN packets that initiate outgoing connections. Allowed values: •<integer>—<ONum> queue number to monitor the SYN packets of intercepted outgoing connections in NFQUEUE; •Auto—allow Dr.Web Firewall for Linux to select an appropriate queue number automatically (recommended).
Default value: Auto |
|||||
OutputDivertConnectTransparently {Yes | No} |
Enable or disable the emulation mode for connecting to the recipient (server) using the IP address of the sender of an intercepted packet (client) for outgoing connections. Allowed values: •Yes—connect to the server using the address of the client that requested the connection instead of your own when intercepting the connection; •No—connect to the server from the Dr.Web Firewall for Linux address. As the client and Dr.Web Firewall for Linux addresses are usually the same in the outgoing connection interception mode, the default value is No. Default value: No |
|||||
InputDivertEnable {Yes | No} |
Enable or disable interception of incoming connections (i.e. connections initiated by applications on the remote host to applications operating on the local host). Allowed values: •Yes— intercept and process incoming connections; •No—do not intercept or process outgoing connections.
Default value: No |
|||||
InputDivertNfqueueNumber {integer | Auto} |
Number of the NFQUEUE queue from which Dr.Web Firewall for Linux will retrieve SYN packets that initiate incoming connections. Allowed values: •<integer>—<INum> queue number to monitor the SYN packets of intercepted incoming connections in NFQUEUE; •Auto—allow Dr.Web Firewall for Linux to select an appropriate queue number automatically (recommended).
Default value: Auto |
|||||
InputDivertConnectTransparently {Yes | No} |
Enable or disable the emulation mode for connecting to the recipient (server) using the IP address of the sender of an intercepted packet (client) for incoming connections. Allowed values: •Yes—connect to the server using the address of the client that requested the connection instead of your own when intercepting the connection; •No—connect to the server from the Dr.Web Firewall for Linux address. In the incoming connection interception mode, all traffic goes through Dr.Web Firewall for Linux, and it is possible to connect safely to the server using the fake client address. This is why the default value is Yes. Default value: Yes |
|||||
ForwardDivertEnable {Yes | No} |
Enable or disable interception of transit connections (i.e. connections initiated by applications on one remote host to applications on another remote host). Allowed values: •Yes—intercept and process transit connections; •No—do not intercept or process transit connections.
Default value: No |
|||||
ForwardDivertNfqueueNumber {integer | Auto} |
Number of the NFQUEUE queue from which Dr.Web Firewall for Linux will retrieve SYN packets that initiate transit connections. Allowed values: •<integer>—<FNum> queue number to monitor the SYN packets of intercepted transit connections in NFQUEUE; •Auto—allow Dr.Web Firewall for Linux to select an appropriate queue number automatically (recommended).
Default value: Auto |
|||||
ForwardDivertConnectTransparently {Yes | No} |
Enable or disable the emulation mode for connecting to the recipient (server) using the IP address of the sender of an intercepted packet (client) for transit connections. Allowed values: •Yes—connect to the server using the address of the client that requested the connection instead of your own when intercepting the connection; •No—connect to the server from the Dr.Web Firewall for Linux address. As there is no guarantee that in the transit connection interception mode all the traffic goes through the same host (router) on which Dr.Web Firewall for Linux is installed, to ensure the correct operation, the default value is No. If the network configuration guarantees that protected applications use the same router, the parameter can be set to Yes, and in this case, Dr.Web Firewall for Linux will always emulate the connection from the client address when connecting to servers. Default value: No |
|||||
ExcludedProc {path to file} |
White list of processes (the network activity of which is not controlled). Multiple values can be specified as a list. List values must be comma-separated and put in quotation marks. The parameter can be specified more than once in the section (in this case, all values are combined into one list). Example: Add the wget and curl processes to the list. 1.Adding values to the configuration file. •Two values per string:
•Two strings (one value per string):
2.Adding values with the drweb-ctl cfset command:
Default value: (not specified) |
|||||
UnwrapSsl {logical} |
Scan or do not scan encrypted traffic passing via SSL.
Default value: No |
|||||
BlockInfectionSource {logical} |
Block connection attempts to websites containing malicious software (belonging to the InfectionSource category). To enable blocking, the settings must comprise the following rule (see below):
Default value: Yes |
|||||
BlockNotRecommended {logical} |
Block attempts to connect to non-recommended websites (belonging to the NotRecommended category). To enable blocking, the settings must comprise the following rule (see below):
Default value: Yes |
|||||
BlockAdultContent {logical} |
Block attempts to connect to websites containing adult content (belonging to the AdultContent category). To enable blocking, the settings must comprise the following rule (see below):
Default value: No |
|||||
BlockViolence {logical} |
Block attempts to connect to websites containing graphic violence (included into the ViolenceViolence category). To enable blocking, the settings must comprise the following rule (see below):
Default value: No |
|||||
BlockWeapons {logical} |
Block attempts to connect to websites dedicated to weapons (belonging to the Weapons category). To enable blocking, the settings must comprise the following rule (see below):
Default value: No |
|||||
BlockGambling {logical} |
Block attempts to connect to gambling websites (belonging to the Gambling category). To enable blocking, the settings must comprise the following rule (see below):
Default value: No |
|||||
BlockDrugs {logical} |
Block attempts to connect to websites dedicated to drugs (belonging to the Drugs category). To enable blocking, the settings must comprise the following rule (see below):
Default value: No |
|||||
BlockObsceneLanguage {logical} |
Block attempts to connect to websites containing obscene language (belonging to the ObsceneLanguage category). To enable blocking, the settings must comprise the following rule (see below):
Default value: No |
|||||
BlockChats {logical} |
Block attempts to connect to chat websites (belonging to the Chats category). To enable blocking, the settings must comprise the following rule (see below):
Default value: No |
|||||
BlockTerrorism {logical} |
Block attempts to connect to websites dedicated to terrorism (belonging to the Terrorism category). To enable blocking, the settings must comprise the following rule (see below):
Default value: No |
|||||
BlockFreeEmail {logical} |
Block attempts to connect to websites of free email services (belonging to the FreeEmail category). To enable blocking, the settings must comprise the following rule (see below):
Default value: No |
|||||
BlockSocialNetworks {logical} |
Block attempts to connect to social networking websites (belonging to the SocialNetworks category). To enable blocking, the settings must comprise the following rule (see below):
Default value: No |
|||||
BlockDueToCopyrightNotice {logical} |
Block attempts to connect to websites that were added according to copyright holder requests (belonging to the DueToCopyrightNotice category). To enable blocking, the settings must comprise the following rule (see below):
Default value: Yes |
|||||
BlockOnlineGames {logical} |
Block attempts to connect to online gaming websites (belonging to the OnlineGames category). To enable blocking, the settings must comprise the following rule (see below):
Default value: No |
|||||
BlockAnonymizers {logical} |
Block attempts to connect to anonymizer websites (belonging to the Anonymizers category). To enable blocking, the settings must comprise the following rule (see below):
Default value: No |
|||||
BlockCryptocurrencyMiningPools {logical} |
Block attempts to connect to websites combining users to mine cryptocurrencies (belonging to the CryptocurrencyMiningPool category). To enable blocking, the settings must comprise the following rule (see below):
Default value: No |
|||||
BlockJobs {logical} |
Block attempts to connect to job search websites (belonging to the Jobs category). To enable blocking, the settings must comprise the following rule (see below):
Default value: No |
|||||
Whitelist {domain list} |
White list of domains (domains allowed for connection, even if these domains belong to blocked categories of web resources. In addition, user access is allowed to all subdomains of the domains from this list). The values on the list must be separated with commas (each value put in the quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list). Example: Add domains example.com and example.net to the list. 1.Adding values to the configuration file. •Two values per string:
•Two strings (one value per string):
2.Adding values with the drweb-ctl cfset command:
Default value: (not specified) |
|||||
Blacklist {domain list} |
Black list of domains (i.e. the domains forbidden for connection, even if these domains do not belong to blocked categories of web resources. In addition, user access will be forbidden to all subdomains of the domains from this list). The values on the list must be separated with commas (each value put in the quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list). Example: Add domains example.com and example.net to the list. 1.Adding values to the configuration file. •Two values per string:
•Two strings (one value per string):
2.Adding values with the drweb-ctl cfset command:
Default value: (not specified) |
|||||
ScanTimeout {time interval} |
Timeout for scanning one file initiated by SpIDer Gate. Allowed values: from 1 second (1s) to 1 hour (1h). Default value: 30s |
|||||
HeuristicAnalysis {On | Off} |
Enable or disable the heuristic analysis for detection of unknown threats during file scanning initiated by SpIDer Gate. The heuristic analysis provides higher detection reliability, but, at the same time, increases scanning time. Action applied to threats detected by the heuristic analysis is specified as the BlockSuspicious parameter value. Allowed values: •On—enable the heuristic analysis while scanning; •Off—disable the heuristic analysis. Default value: On |
|||||
PackerMaxLevel {integer} |
Maximum nesting level for packed objects. A packed object is executable code compressed with special software (UPX, PELock, PECompact, Petite, ASPack, Morphine and so on). Such objects may include other packed objects which may also include packed objects and so on. The value of this parameter specifies the nesting limit beyond which packed objects inside other packed objects are not scanned. The nesting level is not limited. If the value is set to 0, nested objects are not scanned. Default value: 8 |
|||||
ArchiveMaxLevel {integer} |
Maximum nesting level for archives (.zip, .rar, and so on) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives are not scanned. The nesting level is not limited. If the value is set to 0, nested objects are not scanned. Default value: 8 |
|||||
MailMaxLevel {integer} |
Maximum nesting level for files of mailers (.pst, .tbb and so on) in which other files may be enclosed (and these files may also include other files and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned. The nesting level is not limited. If the value is set to 0, nested objects are not scanned. Default value: 8 |
|||||
ContainerMaxLevel {integer} |
Maximum nesting for other types objects inside which other objects are enclosed (HTML pages, .jar files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned by the request of SpIDer Gate. The nesting level is not limited. If the value is set to 0, nested objects are not scanned. Default value: 8 |
|||||
MaxCompressionRatio {integer} |
Maximum compression ratio of compressed/packed objects (ratio between the uncompressed size and the compressed size). If the ratio of an object exceeds the limit, this object will be skipped during file scanning initiated by SpIDer Gate. The compression ratio must be no less than 2. Default value: 500 |
|||||
BlockKnownVirus {logical} |
Block incoming and outgoing data if it contains a known threat. To enable blocking, the settings must comprise the following rule (see below):
Default value: Yes |
|||||
BlockSuspicious {logical} |
Block incoming and outgoing data if it contains an unknown threat detected by the heuristic analyzer. To enable blocking, the settings must comprise the following rule (see below):
Default value: Yes |
|||||
BlockAdware {logical} |
Block incoming and outgoing data if it contains adware. To enable blocking, the settings must comprise the following rule (see below):
Default value: Yes |
|||||
BlockDialers {logical} |
Block incoming and outgoing data if it contains a dialer. To enable blocking, the settings must comprise the following rule (see below):
Default value: Yes |
|||||
BlockJokes {logical} |
Block incoming and outgoing data if it contains a joke program. To enable blocking, the settings must comprise the following rule (see below):
Default value: No |
|||||
BlockRiskware {logical} |
Block incoming and outgoing data if it contains riskware. To enable blocking, the settings must comprise the following rule (see below):
Default value: No |
|||||
BlockHacktools {logical} |
Block incoming and outgoing data if it contains a hack tool. To enable blocking, the settings must comprise the following rule (see below):
Default value: No |
|||||
BlockUnchecked {logical} |
Block incoming and outgoing data if it cannot be scanned.
Default value: No |
|||||
InterceptHook {path to file | Lua function} |
Script for processing connections in Lua or a path to the file storing this script (see the Processing connections in Lua section). If the specified file is unavailable, starting the component causes an error. Default value:
|
|
Changes made to the settings of the connection scanning do not influence the scanning of connections that have already been established by applications before making changes. If it is required to apply them to already running applications, it is necessary to force them to disconnect and then connect again, for example, by restarting these applications. |
Rules for Traffic Monitoring and Blocking of Access
In addition to the parameters listed above, the section also contains 11 sets of rules RuleSet* (RuleSet0, …, RuleSet10) which directly control traffic scanning and blocking of user access to web resources, as well as blocking downloading content from the internet. For some values in conditions (for example, IP address ranges, lists of website categories, black and white lists of web sources, etc.), there is a substitution of values loaded from text files and also extracted from external data sources via LDAP (the Dr.Web LookupD component is used). When configuring connections, all rules are checked from first to last as a single list, until the rule that triggered the ultimate resolution is found. The gaps in the rule list, if any, are ignored.
Viewing and editing of rules
List gaps, i.e. RuleSet<i> sets that do not contain rules (wherein <i> is a RuleSet rule set number), are kept for easy editing of the rules. Note that you cannot add the items other than RuleSet<i>, but you can add and remove any rule in any element of RuleSet<i>. Viewing and editing rules can be performed in any of the following ways:
•by viewing and editing the configuration file (in any text editor) (note that this file stores only those parameters which values are different from the default ones);
•via the management web interface (if installed);
•via the command-line interface—Dr.Web Ctl (drweb-ctl cfshow and drweb-ctl cfset commands).
|
If you edited the rules and made changes to the configuration file, in order to apply these changes, restart Dr.Web for UNIX Mail Servers. To do that, use the drweb-ctl reload command. |
Viewing rules using the drweb-ctl cfshow command
To view the contents of the LinuxFirewall.RuleSet1 rule set, use the command:
# drweb-ctl cfshow LinuxFirewall.RuleSet1 |
Editing the rules using the drweb-ctl cfset command (hereinafter <rule> is text of the rule):
•Replace all the rules in the LinuxFirewall.RuleSet1 set with a new rule:
# drweb-ctl cfset LinuxFirewall.RuleSet1 '<rule>' |
•Add a new rule to the LinuxFirewall.RuleSet1 rule set:
# drweb-ctl cfset -a LinuxFirewall.RuleSet1 '<rule>' |
•Remove a specific rule from the LinuxFirewall.RuleSet1 rule set:
# drweb-ctl cfset -e LinuxFirewall.RuleSet1 '<rule>' |
•Reset the LinuxFirewall.RuleSet1 rule set to the default state:
# drweb-ctl cfset -r LinuxFirewall.RuleSet1 |
When you use the drweb-ctl tool to edit the rules, enclose the text of the <rule> rule to be added with single or double quotes, and use a backward slash (\) to escape quotes within the text of the rule.
It is important to remember the following aspects of storing rules in the RuleSet<i> configuration variables:
•The conditional part and colon can be omitted when adding unconditional rules. However, such rules are always stored in the list of rules as a string ' : <action>'.
•When adding rules that contain several actions (such rules as '<condition> : <action 1>, <action 2>'), such rules will be transformed into a chain of elementary rules '<condition> : <action 1>' and '<condition> : <action 2>'.
•Rules do not allow for disjunction (logical “OR”) of conditions in the conditional part, so, in order to implement the logical “OR”, construct a chain of rules with each rule having a disjunct-condition in its condition.
To add an unconditional skipping rule (the Pass action) to the LinuxFirewall.RuleSet1 rule set, run the following command:
# drweb-ctl cfset -a LinuxFirewall.RuleSet1 'Pass' |
To remove this rule from the specified rule set, run the following command:
# drweb-ctl cfset -e LinuxFirewall.RuleSet1 ' : Pass' |
To add the rule to change a path to standard templates for connections from forbidden addresses and block these connections to the LinuxFirewall.RuleSet1 rule set, run the following command:
# drweb-ctl cfset -a LinuxFirewall.RuleSet1 'src_ip not in file("/etc/trusted_ip") : set http_template_dir = "mytemplates", Block' |
This command adds two rules to the specified rule set, so, in order to remove these rules, run these two commands:
# drweb-ctl cfset -e LinuxFirewall.RuleSet1 'src_ip not in file("/etc/trusted_ip") : set http_template_dir = "mytemplates"' |
To add such rule as “Block if a KnownVirus malicious object or a URL from the Terrorism category is detected” to the LinuxFirewall.RuleSet1 rule set, add the following two rules:
# drweb-ctl cfset -a LinuxFirewall.RuleSet1 'threat_category in (KnownVirus) : Block as _match' |
To remove them from the set of rules, run two commands, as shown in the example above.
Default set of rules
By default, the following set of rules for blocking is specified:
RuleSet0 = |
The first rule indicates that if the connection is established by the process specified in the ExcludedProc parameter (see above), the connection is skipped without checking any other conditions. The next rule (executed without any condition) disables unwrapping of protected connections. This and all the rules below are analyzed only if the connection is not associated with the excluded process. Moreover, as all subsequent rules depend on the protocol type, if unwrapping of protected connections is disabled and the connection is secure, the rules are not executed because it is impossible to define whether the conditions evaluate to true.
The following five rules regulate processing of outgoing HTTP connections:
1.If the host to which a connection is established is included in a black list, the connection is blocked without performing other checks.
2.If the host is included in a white list, the connection is skipped without performing other checks.
3.If a URL requested by the client belongs to a category of unwanted web resources, the connection is blocked without performing other checks.
4.If the response received from a remote host via HTTP contains a threat belonging to the blocked categories, the connection is blocked without performing other checks.
5.If the data transferred from the local host to a remote host contains a threat belonging to the blocked categories, the connection is blocked without performing other checks.
These five rules are triggered only if On is specified in the InspectHttp parameter. Otherwise, none of these rules is triggered.
The following six rules specified in RuleSet9 control the scanning of data sent and received via email protocols (SMTP, POP3 or IMAP); these rules are triggered in the following cases:
•the message contains attachments;
•the message contains a URL belonging to blocked categories;
•the message is qualified as spam with the spam index of no less than 0.8.
If the message is transmitted via the SMTP protocol, an action blocking the transmission (i.e. sending or receipt) of the message is applied, whereas, in case of the IMAP and POP3 protocols, the message is processed such that malicious contents is removed (“repackaging”).
|
If the Dr.Web Anti-Spam component for scanning of an email message for signs of spam is unavailable, scanning of email messages for signs of spam is not performed. In this case, rules that contain analyzing of a spam level (the total_spam_score variable) are unavailable. |
Note that email processing rules are executed only if On is specified for the corresponding Inspect<EmailProtocol> parameters. Otherwise, none of these rules are executed. Moreover, the Dr.Web MailD component for email scanning is required for the examination of transmitted email messages for malware attachments and signs of spam. If the component is not installed, transmitted email will be blocked because of the error “Unable to check”. To allow transmitting messages that cannot be checked, set the BlockUnchecked parameter to No (see above). Moreover, if the email scanning component is not installed, it is recommended to specify No for the InspectSmtp, InspectPop3, and InspectImap parameters.
Examples of rules for traffic monitoring and blocking of access
1.Allow users with IP addresses in the range of 10.10.0.0–10.10.0.254 an access via HTTP to websites of all categories, except Chats:
protocol in (HTTP), src_ip in (10.10.0.0/24), url_category not in (Chats) : Pass |
Note that if the rule:
protocol in (HTTP), url_host in "LinuxFirewall.Blacklist" : Block as BlackList |
is allocated on the list of rules above the indicated rule, then access to domains from the black list, i.e. domains listed in the LinuxFirewall.Blacklist parameter, will also be blocked for users with IP addresses in the range of 10.10.0.0–10.10.0.254. And if this rule is allocated below, users with the IP addresses in the range of 10.10.0.0–10.10.0.254 will also get access to websites from the black list.
Since the Pass resolution is final, no more rules are checked, therefore scanning of the downloaded data for viruses is not performed either. To grant users with IP addresses the range of 10.10.0.0–10.10.0.254 access to websites of all categories, except Chats, if they are not on the black list, and to block downloading of threats at the same time, use the following rule:
protocol in (HTTP), url_category not in (Chats), url_host not in "LinuxFirewall.Blacklist", threat_category not in "LinuxFirewall.BlockCategory" : Pass |
2.Do not perform scanning of contents of video files downloaded from the internet (i.e. data of the “video/*” MIME type, where * corresponds to any type of the video MIME class):
direction response, content_type in ("video/*") : Pass |
Note that the files uploaded from the local computer (including those of the 'video/*' MIME type) will be scanned because they are sent in requests, and not in responses, i.e. the direction variable has the request value for them.