I check my site logs pretty often to find out how people are arriving at this blog and have seen an increase in traffic that points to an exchange I had with a visitor about Vyatta blocking email attachment downloads. I wanted to post this quick entry so that people looking for a quick fix could get to this without running through the complete conversation on the other post: http://d3planet.com/rtfb/2009/11/02/vyatta-firewall-basics-and-configuration/
Here’s the quick and dirty solution:
Problem: Vyatta is blocking download of email attachments. This solution only applies if your implementation is using the web proxy and squidguard URL filtering.
Solution: Use the following command to get Vyatta to allow IP addresses to be called directly.
set service webproxy url-filtering squidguard allow-ipaddr-url
set service webproxy url-filtering squidguard rule XX allow-ipaddr-url
Keep reading for more info on the issue…
Reason: This is not specific to Vyatta and is a common issue / problem / feature with web proxies. Web proxies tend to block traffic based on blacklists that contain domain names. When a web proxy gets a request to return a specific IP address, instead of a URL, it operates on the premise that a user may be trying to bypass the filters and then blocks the requests. Most web email sites give attachment download links an IP address since they are housing the files on a multitude of servers. Makes sense right? The command above simply allows the Vyatta web proxy to return content that is requested by IP address instead of the default blocking behavoir.
Keep in mind that users may be able to bypass block-lists / blacklists if this is allowed by doing an IP lookup on the blocked site and simply typing that into the address bar. You may still be able to block via keywords, but I just want to make sure you’re aware of the immediate possibilities.
Hope this helps people out. 🙂