Vyatta Blocking Email Download of Attachments

I check my site logs pretty often to find out how people are arriving at this blog and have seen an increase in traffic that points to an exchange I had with a visitor about Vyatta blocking email attachment downloads.  I wanted to post this quick entry so that people looking for a quick fix could get to this without running through the complete conversation on the other post: http://d3planet.com/rtfb/2009/11/02/vyatta-firewall-basics-and-configuration/

Here’s the quick and dirty solution:

Problem:  Vyatta is blocking download of email attachments.  This solution only applies if your implementation is using the web proxy and squidguard URL filtering.

Solution:  Use the following command to get Vyatta to allow IP addresses to be called directly.

set service webproxy url-filtering squidguard allow-ipaddr-url


set service webproxy url-filtering squidguard rule XX allow-ipaddr-url

Keep reading for more info on the issue…

[ad#Google Adsense-1]

Reason:  This is not specific to Vyatta and is a common issue / problem / feature with web proxies.  Web proxies tend to block traffic based on blacklists that contain domain names.  When a web proxy gets a request to return a specific IP address, instead of a URL, it operates on the premise that a user may be trying to bypass the filters and then blocks the requests.  Most web email sites give attachment download links an IP address since they are housing the files on a multitude of servers.  Makes sense right?  The command above simply allows the Vyatta web proxy to return content that is requested by IP address instead of the default blocking behavoir. 

Keep in mind that users may be able to bypass block-lists / blacklists if this is allowed by doing an IP lookup on the blocked site and simply typing that into the address bar.  You may still be able to block via keywords, but I just want to make sure you’re aware of the immediate possibilities.

Hope this helps people out. 🙂


6 thoughts on “Vyatta Blocking Email Download of Attachments”

  1. Hi Clement, have you tried the following instead of allow-ipaddr-url?

    set service webproxy url-filtering squidguard local-ok [ip.of.mail.server]

    I’m not certain it will work, but if it does it could allow you to bypass the filtering of your legitimate webmail traffic without allowing all IP-address-based URLs and opening a hole in your URL filters.

  2. Just an update after further tests with ver. 6.1 .

    “set service webproxy url-filtering squidguard allow-ipaddr-url” works.

    “set service webproxy url-filtering squidguard rule XXX allow-ipaddr-url” doesn’t.

    “local-ok ” doesn’t work as well.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s