DansGuardian Documentation Wiki

You are here: Main Index » allowing_ip_addresses


|

Wiki Information

‘Tell me not, in mournful numbers, Life is but an empty dream!
For the soul is dead that slumbers, and things are not what they seem. …
“A psalm of life” by Henry Wadsworth Longfellow

IP Addresses (Rather Than Domain Names) Problematic

A few websites use IP addresses rather than DNS names in some of their hyperlinks. (For some reason this is most often seen on webmail websites.)

These numeric hyperlinks can cause considerable grief if you have the DansGuardian 'blanket IP address' block enabled. If you examine a web page's source and see something like href="http://num.num.num.num/..." you may have a problem.

These hyperlinks usually refer to a “farm” of hosts internal to that domain. But given only a raw IP address, there's no quick, easy way to tell for sure what domain the host really belongs to, so the exceptions that work everywhere else don't cover these hosts. (Often these hosts are “unregistered”, so reverse DNS lookups always fail and can't help solve the problem.)

Fortunately it's possible to set up exceptions to eliminate these problems. Sometimes it's possible to find a unique string pattern elsewhere in the URL. In any case, you can always except hosts by their individual IP address just as you would except hosts by their DNS name.

Unique Strings

Sometimes every URL on a website that points to a host by its IP address also contains the same unique (web-wide!) string. (For example the string “securedownloads?” seems to appear in every reference to a Yahoo email attachment, yet is very unlikely to ever appear in any other URL of any website.)

Such a unique string must already appear in every problematic URL; you can't make something up or wish it were so or get the website to treat you differently or use a string that may also appear on other websites. If you can't find such a string or aren't confident it's unique, you can't use this method and should instead except individual IP addresses as described below.

If you can find such a unique string, add it to “exceptionregexpurllist”. (Remember, regular expressions are sometimes subtly different from the string you're looking for. To continue the above example, question mark is a regular expression meta character and must be escaped, thus the corresponding regular expression is securedownloads\? )

Individual IP Addresses

You can enter host names that are IP addresses into DansGuardian configuration files such as exceptionsitelist the same way you'd enter host names that were DNS names into those files.

You will have to put each individual address on a separate line. The “range” and “subnet” formats in the newest versions of DansGuardian cannot be used in the files that define exceptions by host (or any other DansGuardian configuration file that may contain names as well as IP addresses.)

Usually sites that use IP addresses in their hyperlinks will use a whole block of such IP addresses. Only one will appear in any one transation, and you and your users will go nuts waiting for 'all' of them to appear. So how do you know which IP addresses to except?

Almost certainly all the IP addresses are in a “block”, either of contiguous addresses or of addresses matching a pattern. Given around five of the IP addresses, you can usually figure out what all the rest of them will be and except the whole bunch -including the ones you haven't seen yet.

Adjacent IP Addresses

Most often all the IP addresses will be an entire “subnet”, with the first three sections of the IP address the same and the fourth section varying all the way from 1 to 254 (0 and 255 are usually not assigned to an individual host).

For example if you see 65.11.181.3, 65.11.181.14, 65.11.181.82, and 65.11.181.215, add a whole bunch of lines to “exceptionsitelist” to except each of:

65.11.181.1
65.11.181.2
65.11.181.3
65.11.181.4
65.11.181.5
...
65.11.181.250
65.11.181.251
65.11.181.252
65.11.181.253
65.11.181.254

(All these individual lines together have about the same effect as the expression 65.11.181.0/24 which you can't enter into this file.)

Patterned IP Addresses

Sometimes the IP addresses will be the same few hosts out of every group, with the first two sections of the IP address the same, the fourth section being one of a small set of possibilities, and the third section covering a range. You may need to look up which IP addresses are assigned to the company to figure out where to begin and end your list.

For example, if you see 64.4.16.124, 64.4.16.250, 64.4.19.124, 64.4.19.250, 64.4.23.124, and 64.4.27.250; and you find out the range of addresses assigned to that company is 64.4.13.x through 64.4.30.x, add a whole bunch of lines like this to “exceptionsitelist”:

64.4.13.124
64.4.13.250
64.4.14.124
64.4.14.250
64.4.15.124
64.4.15.250
...
64.4.28.124
64.4.28.150
64.4.29.124
64.4.29.250
64.4.30.124
64.4.30.250