Syntax for Web Rules for Use in Safetynet4

SYNTAX FOR WEB RULES FOR USE IN SAFETYNET4

(Taken from Safety Net4.0 Help files 12/01/2011)

CONTENTS

Introduction...... 1

Domain rules...... 2

Host rules...... 2

Wildcard rules...... 3

Host name wildcard rules...... 3

Qualified wildcard rules...... 3

How to permit/deny access to an entire website...... 4

How to permit/deny access to a particular folder in a website...... 4

How to permit/deny access to a particular page in a website...... 5

How to permit/deny access to a particular file in a website...... 5

How to permit/deny access to URLs that contain a particular term or character string...... 6

How to permit/deny access to URLs that contain a particular term, character string or something similar...... 6

How to permit/deny access to URLs that contain a particular term in the host name or domain name...... 7

How to permit/deny access to URLs on a particular website where the path contains a particular term...... 7

How to permit/deny downloads of a particular file type from any website...... 8

How to permit/deny downloads of a particular file type from a particular website...... 8

INTRODUCTION

Web rules check for matches against URLs that users attempt to access. If a match is found then the relevant action (permit or deny) is taken. There are essentially three types of web rule:  Domain rule: If you know the domain name that you want to deny or permit, you can set a domain rule.  Host rule: This is very similar to a domain rule but it includes an entire host name.  Wildcard rule: If you don't know the precise host name or domain name that you want to deny or permit, you can use wildcards.

Note: All web rules are case insensitive. That is, it does not matter whether you enter terms in upper case or lower case, or a mixture of the two; the effect will be the same. In this Help, we show all example rules in lower case. DOMAIN RULES

In a domain rule you simply enter the domain name that you want to permit or deny. The rule will check for the presence of this domain name within the URL that the user is trying to access. It will deny or permit all URLs where the specified domain name appears immediately before the first single slash / in the URL.

Here are some examples of domain rules:

toyshop.com boyfriend.co.uk downloadmusic.net, org.uk

You can also include a full or partial path in a domain rule, and SWGfL Filtering will look for a match against the domain name followed by as much of the path as you provide. This enables you to permit or deny access to a particular folder, page or file. Here are some examples:

toyshop.com/shop boyfriend.co.uk/links/messages.htm gameshop.net/catalogue.pdf

HOST RULES

In a host rule you simply enter the host name that you want to permit or deny. The rule will check for the presence of this host name within the URL that the user is trying to access.

Note: SWGfL Filtering cannot actually distinguish between domain rules and host rules. It does not need to do so as both types of rule operate in exactly the same way. SWGfL Filtering checks backwards from the first slash character / in the URL, and if it finds a match against a domain rule or host rule then the relevant permit or deny action is taken.

Here are some examples of host rules:

www.toyshop.com mail.boyfriend.com.uk share.downloadmusic.net www.myschool.org.uk

As with domain rules, you can also include a full or partial path in a host rule, and permit or deny access to a particular folder, page or file. Here are some examples:

www.toyshop.com/shop

mail.boyfriend.co.uk/links/messages.htm

www.gameshop.net/catalogue.pdf WILDCARD RULES

If you are not sure of the precise domain name or host name you want to permit or deny, or you want a more wide-ranging rule, then you can use wildcards. The wildcards you can use are ? (for a single character) or * (for a string of characters).

As soon as you include a wildcard in a rule, the entire URL will be assessed, instead of just the domain name or host name.

Wildcard rules can be very powerful, but bear in mind that they are less precise than domain and host rules, and may have a more wide-ranging effect than you intend, so you need to use them with care.

For example, the following deny wildcard rule will deny access to all websites containing the character string 'sex' in the URL:

However, the drawback of this rule is that it will also match against and deny access to URLs that contain perfectly innocent strings such as 'middlesex, 'unisex' and 'sextant'. If access to sites containing these terms is important to you, you would also need to set specific permit rules to override the deny rule, thus:

*middlesex* *unisex* *sextant*

One very useful purpose to which you can put wildcard rules is to deny access to certain file types. For example, to deny access to .m4p files, you can specify the following deny wildcard rule:

Here are some more examples of wildcard rules:

*friendspace* *e??tasy* www.????girl*

Host name wildcard rules

In a host name wildcard rule, you include wildcards in the rule but also include a colon : at the end to indicate that you only want the rule to be applied to the host name within the URL, not the entire URL. Here are some examples:

*myspace*: *e??tasy*: www.????girl.com:

Qualified wildcard rules

You can use a qualified wildcard rule to apply a wildcard rule to the path for a specified host name only. The rule consists of a host name wildcard rule immediately followed by a normal wildcard rule. If and only if a match is found with the host name is the following wildcard rule applied to the path. Here are some examples:

*google*:*sex* www.????girl.com:*jpg

Important: Domain rules and host rules must never include a wildcard. As soon as you include a wildcard in a web rule, __product treats it as a wildcard rule, and wildcard rules behave very differently from domain rules and host rules. HOW TO PERMIT/DENY ACCESS TO AN ENTIRE WEBSITE

To cover the maximum possible eventualities, it is best to create a domain rule rather than a host rule. For example, the rule below will deny or permit URLs with the domain name wargames.com appearing immediately before the first single slash character in URLs prefixed by www, downloads, mail, or anything else, and followed by any path or no path. A host rule such as www.wargames.com would only deny or permit access to URLs with the host name www.wargames.com, and would permit downloads.wargames.com, mail.wargames.com and so on.

Example rule Matches/non-matches wargames.com Matches: http://www.wargames.com http://downloads.wargames.com ftp://images.wargames.com/terror http://special.www.wargames.com/login.asp

Does not match: http://www.greatlinks.com/wargames.com/index.html http://wargames.com.net

HOW TO PERMIT/DENY ACCESS TO A PARTICULAR FOLDER IN A WEBSITE

You can deny access to a particular folder or subfolder in a website (which will deny access to all pages and files held within the specified folder) without denying access to the website as a whole. It is best to create a domain rule including the path to the relevant folder.

Example rule Matches/non-matches girlpower.com/videos Matches: http://www.girlpower.com/videos/happyslap http://downloads.girlpower.com/videos ftp://media.girlpower.com/videos/ http://special.www.girlpower.com/videos/rock

Does not match: http://www.girlpower.com/rock/videos/index.html http://girlpower.com/image HOW TO PERMIT/DENY ACCESS TO A PARTICULAR PAGE IN A WEBSITE

You can deny access to a particular page in a website without denying access to the website as a whole. It is best to create a domain rule including the path to the relevant page. Note that pages can have a variety of suffixes, including .htm, .html, .asp and .php.

Example rule Matches/non-matches girlpower.com/videos Matches: http://www.girlpower.com/videos/wild.htm http://downloads.girlpower.com/videos/wild.htm ftp://media.girlpower.com/videos/wild.htm http://special.www.girlpower.com/videos/wild.htm

Does not match: http://www.girlpower.com/videos/index.htm http://girlpower.com/videos/rock/wild.htm

HOW TO PERMIT/DENY ACCESS TO A PARTICULAR FILE IN A WEBSITE

You can deny access to a particular file in a website without denying access to the website as a whole. It is best to create a domain rule including the path to the relevant file. Any type of file can potentially be made available for download from a website, so files might have a variety of suffixes including .doc, .pdf, .mp3, .m4p, .exe, .zip, .txt and so on.

Example rule Matches/non-matches girlpower.com/videos/worldtour2009.mp4 Matches: http://www.girlpower.com/videos/worldtour2009.mp4 http://downloads.girlpower.com/videos/worldtour2009.mp4 ftp://media.girlpower.com/videos/worldtour2009.mp4 http://special.www.girlpower.com/videos/worldtour2009.mp4

Does not match: http://www.girlpower.com http://girlpower.com/videos HOW TO PERMIT/DENY ACCESS TO URLS THAT CONTAIN A PARTICULAR TERM OR CHARACTER STRING

Use a wildcard rule and specify the term or string of characters that you want to permit or deny. SWGfL Filtering will examine the entire URL for matches.

Note: You need to be careful what term you specify, otherwise you may unintentionally permit access to websites that you want to deny, or vice versa. For example, you may want to deny students access to most chatlines, as illustrated by the example below. However, you do want to permit access to a school counselling service that has a chatline. To get round this, you would also need to set up a permit rule to grant access to the school chatline, in order to override the deny rule for this particular instance only.

Example rule Matches/non-matches

*chat* Matches: http://www.chatshop.co.uk https://www.myschool.co.uk/counselling/chatline.asp ftp://mail.friendspace.com/members/chitchat.htm

Does not match: http://www.chelseahatshop.com/london/prices.htm http://klubbsvenska.charabanc.com/vintage/models.htm

HOW TO PERMIT/DENY ACCESS TO URLS THAT CONTAIN A PARTICULAR TERM, CHARACTER STRING OR SOMETHING SIMILAR

Use a wildcard rule and include one or more wildcards within the term or string of characters that you want to permit or deny. SWGfL Filtering will examine the entire URL for matches.

Note: In this type of rule, be careful about using the * wildcard in the middle of terms that you specify, as this might have a much wider scope than you intend . For example, if you specify *gam*line*, this will match with URLS containing gamblingonline, gambleline and so one, but it will also match with www.commonwealthgames.com/contacts/hotline.htm because the characters gam and line appear in this URL, though quite widely separated.

*kni?e* Matches: http://www.flickknives.com https://www.knivesonline.co.uk/shop/index.htm ftp://download.knifeparty.com/videos/streetcrimeuk.mp4

Does not match: http://www.nifeshop.com/us/catalogue.htm http://www.niterider.co.uk HOW TO PERMIT/DENY ACCESS TO URLS THAT CONTAIN A PARTICULAR TERM IN THE HOST NAME OR DOMAIN NAME

Use a wildcard rule but terminate it with a colon : to indicate that you only want to look for matches within the host name or domain name part of the URL.

*school*: Matches: http://www.torridgeschool.co.uk http://www.schoolwear.co.uk/shop/index.htm http://www.torridge.schoolcouncil.net/intro.pdf

Does not match: http://www.hazelbankla.co.uk/schools/index.htm http://www.localregister.org.uk/seaport/school_index.asp

HOW TO PERMIT/DENY ACCESS TO URLS ON A PARTICULAR WEBSITE WHERE THE PATH CONTAINS A PARTICULAR TERM

Use a qualified wildcard rule. That is, enter a host name or domain name (which may contain wildcards) followed by a colon :, so as to limit the rule to matches with this host name or domain name only, and then enter a wildcard rule to look for matches in the path.

Example rule Matches/non-matches careerprofile.co.uk:*personal* Matches: http://www.careerprofile.co.uk/workexperience/personaldetails.htm http://mail.careerprofile.co.uk/personal.asp ftp://uploads.careerprofile.co.uk/cv/yourpersonalhistory.html

Does not match: http://www.careerprofile.com/personal.htm http://www.careershop.co.uk/personalstuff.html HOW TO PERMIT/DENY DOWNLOADS OF A PARTICULAR FILE TYPE FROM ANY WEBSITE

Use a wildcard rule and specify the relevant file suffix prefixed with the wildcard *, for example *.doc, *.pdf, *.mp3, *.m4p, *.exe, *.zip or *.txt. Do not include a wildcard after the file suffix, so that SWGfL Filtering will look for URLs that terminate with the file suffix. (Note that if a URL contains the file suffix followed by a ? and dynamic information, this dynamic information is ignored - the rule still matches.)

*.mp3 Matches: http://www.musicshopuk.co.uk/tracks/track6.mp3 http://downloads.funky.com/wildandfree.mp3?lang=eng ftp://media.worldofsong.net/downloads/rockmebaby.mp3

Does not match: http://www.mp3shop.co.uk http://downloads.funky.com/wildandfree.m4p

HOW TO PERMIT/DENY DOWNLOADS OF A PARTICULAR FILE TYPE FROM A PARTICULAR WEBSITE

Use a qualified wildcard rule. That is, specify the relevant host name or domain name followed by a colon :, then specify the relevant file suffix prefixed with the wildcard *, for example *.doc, *.pdf, *.mp3, *.m4p, *.exe, *.zip or *.txt. Do not include a wildcard after the file suffix, so that SWGfL Filtering will look for URLs that terminate with the file suffix. (Note that if a URL contains the file suffix followed by a ? and dynamic information, this dynamic information is ignored - the rule still matches.)

Example rule Matches/non-matches musicshop.co.uk:*.mp3 Matches: http://www.musicshop.co.uk/tracks/track6.mp3 http://media.musicshop.co.uk/waynerocker/give_me_love.mp3?lang=eng

Does not match: http://www.leisureworld.co.uk/musicshop/mytime.mp3