Jump to content
Welcome to our new Citrix community!

How to drop all traffics except 2 internet facing urls.


Rakesh Jha

Recommended Posts

I am new and have setup content switching where only 2 sites are allowed from server/workstation devices.

I have created Pattern Sets about URLs which should open;  then a new Responder Policies was created with following syntax and action drop

HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).CONTAINS_ANY("Blocklist") || HTTP.REQ.URL.CONTAINS_ANY("Blocklist")

 

But client device is opening all sites except Blocklist site.... can someone pls advise me what syntax should be setup based my requirement.

much appreciated for your swift response. 

 

Link to comment
Share on other sites

First your "blocklist" above is actually the whitelist, the list of sites to allow, so that anything NOT on the whitelist will be blocked.

Responder blocks traffic when the expression is TRUE.

 

Quick Boolean Logic recap:

For the compound Expression:  A || B, then the opposite is either

!(A || B) 

or

!A && !B

 

Bottom line responder will trigger when the policy is true, and will block traffic.

To block stuff not on the whitelist, you need the negation of the things you know you don't want to block.

Renaming to "whitelist" allowed urls below but you can keep your original name, just confusing:

 

The opposite of:

HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).CONTAINS_ANY("whitelist") || HTTP.REQ.URL.CONTAINS_ANY("whitelist")

is either:

!(HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).CONTAINS_ANY("whitelist") || HTTP.REQ.URL.CONTAINS_ANY("whitelist"))

or

!HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).CONTAINS_ANY("whitelist") && !HTTP.REQ.URL.CONTAINS_ANY("whitelist")

 

To confirm:

If urlA is in whitelistA or whitelistB (just to illustrate the concept),

The expression for the responder policy will be FALSE and no responder hit will occur.

If urlC appears in neither whitelist phrase, then:

!(false) && !(false) == true:  policy hit occurs and traffic is blocked.

 

  • Like 1
Link to comment
Share on other sites

@YRhonda Rowland , Yeah you are right i am whitelisting sites.... so your sytanx is good & long but i have not understood well even through you explained so well.. so my  problem..

Is there any sites which can be help me building these boolean rule?? thanks Again! 

Link to comment
Share on other sites

5 hours ago, Rakesh Jha said:

so my  problem..

Is there any sites which can be help me building these boolean rule??

 

It's just the way logic works. The easiest thing for negations like this is to write a true/false table and confirm that what you want to do is what is happening. OR test the set of URLs to make sure you get the results you want.

https://en.wikipedia.org/wiki/Boolean_algebra

https://www.i-programmer.info/babbages-bag/235-logic-logic-everything-is-logic.html

 

But a much shorter version of all that:

A && B == true, when A=true and B=true.  If either is false, the clause is false.

A || B == true, when A or B are true (or both). It is only false, if both expressions are false.

!A == true, only when A is false.  (read: not A).  So when A is false, NOT(A) is true.

For compound expressions, you have to negate the &&  to || (and to or) or the || to && (or to and): 

!(A||B) is equivalent to !A && !B.  Gives same truth result as the opposite of the A||B truth table.  Will match everything except for what is on either A || B.

!(A&&B) is equivalent to !A || !B.  Gives same truth result as the opposite of the A&&B truth table. 

 

I've attached my "thought process" and a truth table example of one blacklist scenario and one whitelist to help illustrate how the logic works.  But if that doesn't work, just test it.

 

At the end of the day, you can also test to verify by breaking the scenarios into:

1) test a URL on the whitelistA, and make sure it is allowed (no policy hit occurs)

2) test a URL on the whitelistB, and make sure it is also allowed (no policy hit occurs)

3) You can even test a URL on both lists, but it should still be allowed

4) Then any URL not on either list, is blocked...

 

Hope this helps.

 

responder_whitelist_logic.docx

Link to comment
Share on other sites

  • 2 months later...

add policy patset ps_hostblacklist

bind policy patset ps_hostblacklist microsoftonline-p.com

bind poliyc patset ps_hostblacklist <otherhosts>

(bind any other patterns for hostnames you require.)

 

add responder rs_pol_drop_bypatset http.req.header("host").set_text_mode(ignorecase).contains_any("ps_hostblacklist") BLOCK

 

 

Patternsets are evaluated using the "_any" operators:  equals_any(), contains_any(), startswith_any(), endswith_any() etc...

Your URL is actual a host name, so I adjusted the policy to filter on items with a partial match on the hostname. You don't need the *., but you could adjust the expression for endswith_any vs contains_any as needed.

 

I did this freehand so you might have to adjust for missing quotes or minor syntax errors.

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...